Three weeks ago, I wrote about a big malware attack that used malvertising as the vector to direct victims to a Fake AV attack. Since then, I’ve periodically updated my Twitter feed (@bc_malware_guy) to name additional rogue ad servers being used in the attack. While WebPulse continues to block the “downstream” sites from the rogue ad servers, the fact that new ad servers continue to come on line makes this attack worth another look…
First, here is the list of new rogue ad servers that have been brought on-line over the last few days:
- mezomedia.net (was also used briefly back in July)
- vayocampaign.com
- adquickclick.com
- techcampaign.net
- trapclick.com
- adlyserver.com
- adfixnet.com
- compaqmedia.net
The last seven were found while I was specifically hunting for new ad servers being used in this network, but mezomedia.net was a special case. I actually found it while doing some other research, but when I checked the URL in a browser, and saw a banner ad for Gevalia coffee (albeit a different-looking banner from others in this network), I was instantly certain that this was a similar site. (After a while, you develop instincts for this, I guess…) A bit of investigation confirmed that it was indeed part of the attack, as I found log entries showing that it had attempted to relay visitors into the Fake AV attack network.
Second, here is the complete list of ad servers involved, including those from the initial post, those named in Twitter posts, those named above, and any others that I missed naming previously:
adcimp.net, adimpserv.com, adfixnet.com, adlyserver.com, adonmax.com, adquickclick.com, adquicknetwork.com, adsclickserver.com, compaqmedia.net, figiserver.com, fmdserver.com, fmdserver.net, gedcampaign.com, leventamedia.com, media-bc.com, media-bc.net, mezomedia.net, qwestat.net, senaserver.com, techcampaign.net, trapclick.com, vayocampaign.com, zohomedia.net
An interesting trend is that the registrations for the recent sites are a bit later than the ad servers used in the initial stages of the attack. These were registered from around the end of June to early July. In other words, a bit over a month before they began to be used in the attack. This implies that the Bad Guys have likely registered several more domains that they are holding in reserve to continue the attack. We’ll be keeping an eye out for them!
–C.L.
Leave a reply
