Malvertising has been around for quite a while (and will probably not be going away anytime soon).
Recently, I’ve seen incidents of a fake Firefox update that has been pushed by malvertisers. This has been getting some coverage on various websites. For example, this morning’s Internet Storm Center handler diary .
This fake update screen dates back to last year (at least). Last summer, the download was usually an .exe file while this latest incident is pushing a .js file.
For the past few days, I’ve regularly seen this fake Firefox update as well as Techinical Support Scams pushed by malvertising on Yahoo.com without any interaction on my part. Basically, I simply loaded up Yahoo.com in my browser and let it sit. Yahoo, like most larger content-based websites, will do periodic refreshes of the page as well as the advertisements on the page. Before long, I got the following:
While it didn’t happen every time I tried, quite often my browser would end up being redirected to either the fake Firefox update or a Technical Support Scam site.
What’s going on here? Has Yahoo.com been hacked? Not likely. This type of drive-by malvertising has been around for at least 6 or 7 years.
Nowadays, the process of getting an advertisement in front of a viewer has become more layered and, thus, more complicated.
Here are a few references that might be helpful if you want more information:
Real-Time Bidding and Malvertsing from Malwarebytes
Slides from a presentation on malvertising by Jérôme Segura and Chris Boyd of Malwarebytes
Here are a couple of links to “deep dives” on malvertising:
Modern Malvertising and Web-Based Exploit Campaigns
Malvertising: Under The Hood by Chris Boyd
In keeping with modern advertising methods (see links above), the path to the malicious ads has been fairly circuitous. Here are the paths followed by 3 of the latest instances that I’ve seen.
Malvertising Path Followed By Two Fake Firefox Updates From Yahoo.com (click to expand)
Malvertising Path Followed By A Tech Support Scam From Yahoo.com (click to expand)
One thing that was consistent was that if you trace back from either the fake Firefox update page or the Tech Support scam page, you would always end up at:
As far as I know, this is just a part of the complex Yahoo advertising model. It seems like someone has been able to get their malicious ad(s) inserted into the legitimate ad bidding and placement process.
Note: I have not been able to reproduce this drive-by malware condition since this morning (10/2). Perhaps, Yahoo (or the ad network) has corrected it.
I have not yet analyzed the various scripts or redirect methods that are used in this malvertising incident. Hopefully, I’ll post another blog entry with a more detailed look later this week.