Blue Coat has uncovered a raft of malicious domains sending traffic to the searcherstypediscksruns.com/.net/.org family of Blackhole sites, including adhidclick.com, ortclick.com and several other sibling sites.
This "funnel" layer of the malvertising network was driving so much traffic – tens of thousands of hits – that Chris Larsen, Blue Coat's malware lab architect, looked into where it was all coming from. It turns out that several large, consumer-facing sites were the originators, including the LA Times, Salon.com, LA Weekly, the Fiscal Times, The Knot Wikia and the ubiquitous ad server site, doubleclick.com.
Tracing the traffic back from the funnel-site level yielded a host of sites identified as part of the malware ecosystem, acting as the link between various legitimate sites (via their ad providers) and the funnel sites.
All of the victimized host sites are large, popular destinations, but are not likely to be directly compromised, or even directly hosting the malicious ads, Larsen said in a blog post: “Most likely the ads are ending up there as part of the advertising ecosystem. Malvertising is hard to pin down.”
That’s because the attacks typically involve no user interaction; victims don't need to click on a malicious ad and there may not even be a visible ad in association with the malicious reference. Most legitimate ad URLs deliver Javascript chunks that eventually result in some sort of banner being displayed, Larsen said, and those chunks are often encoded or obfuscated in some way, to protect the ad server's methodology and help control ad fraud. Those chunks typically run in the "context" of the main (host) site, so if malware shows up as a result of an ad request, it appears to the world that the host page, or one of its frames/iframes, made the request. These ad networks are also complex webs of affiliate, partner and subordinate providers. Taken together, it’s very difficult to separate malvertising from the legitimate ads.
“One point of interest is how segmented this attack is – the Bad Guys managed to get each of these fake ad domains into a position of trust with a different target market, so that even if one were to be discovered, the overall attack could continue,” Larsen said. “Only mapping out the entire attack network earns a view into the stealthiest part, as the Bad Guys have gone to great lengths to blend into legitimate Web traffic.”
Interestingly, all of the malvertising domains were registered at least eight months ago, and longer in some cases, and remained dormant until leaping to life in late August.
“[adhidclick.com] sat, for more than eight months, with no traffic in our logs, until 8/22 – 8/23, when it suddenly showed up over 1,400 times,” said Larsen. “All of the sites it relayed traffic to were evil. Besides the exploit kit sites mentioned, there were also a bunch of malicious junk subdomains hosted on a DynDNS host (servehttp.com), a handful of links to what I call ‘survey hell’ sites (basically spam/scam networks that use fake surveys or quizzes as bait), and a couple to a porn-malware site, just for variety.”
They all popped into life for a couple of days in August, relayed their shares of the traffic, and then retired. “It's an impressively large (and patient!) malvertising operation,” Larsen said.