According to Krebs, members of an exclusive underground hacker forum recently sought to plant malware on KrebsOnSecurity.com, by paying to run tainted advertisements through the site’s advertising network - Federated Media.
The attack, he reports, was unsuccessful thanks to a variety of safeguards, but it highlights the challenges that many organizations face in combating the growing scourge of malvertising.
“Last week, I listed the various ways this blog and its author has been honored over the past few years by the cybercrime community, but I neglected to mention one recent incident: On May 27, 2011, several hackers who belong to a closely guarded English-language criminal forum called Darkode.com sought to fraudulently place a rogue ad on KrebsOnSecurity.com”, he says in his latest security posting.
The ad, he asserts, was made to appear as though it was advertising the BitDefender antivirus software, but instead, it was designed to load a malicious domain: sophakevans. co. cc - a malicious domain that has been associated with promoting scareware.
The cybercriminals, says Krebs, agreed to pay at least $272 for up to 10,000 impressions of the ad to be run on the site.
“Fortunately, I have the opportunity to review ads that come through Federated’s system. What’s more, Federated blocked the ad before it was even tagged for approval”, he says.
The Darkode forum, adds Krebs, was launched sometime in 2008, and according to past and current members was used primarily as a support forum for the `Butterfly Bot’, a prolific bot program that was sold in the underground for several years by its creator, a hacker known Iserdo.
Iserdo will be familiar to readers of Infosecurity as one the main people alleged to be behind the Mariposa botnet, which Krebs and Panda Security’s Luis Corrons help to bring down.
Back on the malvertising front, and Krebs says that many security-conscious readers have chosen to block ads altogether with browser add-ons like Adblock.
Wholesale blocking ads can be effective in stopping malvertisements, he notes, but this approach also has the perverse effect of blocking a primary source of revenue for many sites.