Websense Security Labs Blog

Websense Security Labs discovers, investigates and reports on advanced Internet threats that traditional security
research methods miss.

Myvue.com, Autotrader.co.uk and other high profile Websites infected with Malvertising

View all posts > 

Myvue.com, Autotrader.co.uk and other high profile Websites infected with Malvertising

Posted: 28 Feb 2011 09:53 AM | Elad Sharf | no comments


Weekends are sacred; most use them to relax and unwind but for some it's showtime! Taking advantage of the fact that a lot of security companies are more relaxed over the weekend, cyber criminals use the opportunity to strike. This weekend, the popular auto trading site Autotrader.co.uk and the cinema site Myvue.com both served ads that redirected the browsing user to malicious Web sites laden with exploits - a phenomenon also known as Malvertising. The Web sites themselves weren't compromised but were serving ads from an ad provider called Unanimis that led browsing users seamlessly - in the background and without their knowledge - to exploit sites. 

 

Unanimis serves ads to thousands of Websites and we've received reports that ebay.co.uk and londonstockexchange.com were also affected by this Malvertising campaign. One of the advantages that cyber criminals enjoy with Malvertising campaigns is that they can be easily spread across a large number of legitimate Websites without directly compromising those Websites, but indirectly through the use of a malicious ad. 

 

Websense customers are protected from such attacks with our Advanced Classification Engine analytics, our suite of technologies within TRITON.

 

 

Attack Details


The malicious ads were not served from the sites' main pages - in order for the exploit to work, specific ads would have to be loaded by the sites. For example at Autotrader.co.uk, a redirect to an exploit site through an ad would occur if the browsing user clicked on the button to search for a car, and at Myvue.com the same would happen if the browsing user clicked on the button to order movie tickets. It's at those points that more specific adverts are sent to the user's browser. 

 

Let's take a look at an example from Autotrader.co.uk. Here is an image that captures what happens in the background when a user searches for a car with any desired criteria:

 

The first step is the URL that the user is browsing to when searching for a car according to his/her desired criteria: you can see that as part of the URL it has the postcode (blurred), the price range etc. In the background Autotrader.co.uk loads some advertisements from some ad providers. At step 2 it loads the advertisement from a legitimate ad provider called Unanimis. The advertiser redirects to the advertisement in step 3. Step 3 redirects further to step 4, but no advertisement is shown. Step 4 is a site loaded with an exploit kit and several exploits are sent to the user's browser.

 

A car search with Autotrader.co.uk:

 

The Exploit

 

The Exploit site is heavily obfuscated and serves several exploits that target Internet Explorer, Adobe Acrobat Reader, and Java. We observed that the exploit kit used is very similar to an exploit kit called "Blackhole". Here are some of the detection rates of the PDF file exploit and the Java based exploit (JAR file). The dropped file installs a rogue antivirus on the user's computer - the software tells users that their computer is infected and offers a "cleaning antivirus" for $59.95. In the meantime the software disrupts the use and ordinary functionality of the computer by hogging CPU power, displaying disturbing pop-ups and more. The dropped file has low detection rate.

 

We have been following the exploit domains in this malvertising campaign for quite a long time now, and it seems that cyber criminals use fee-based advertising networks to propagate malware - that means cyber criminals are willing to pay in order to propagate malware. This goes hand in hand with Websense's threat Webscape predictions last year.

 

A snapshot of the exploit URL in Websense's ThreatSeeker Network (The "L" signifies it was captured with Real Time scanning):

 

The exploit site - heavily obfuscated code:

 

The rogue antivirus that is installed:

 

 

 


Filed under: ,

Leave a Comment

(required)  

Email address: (required)