Anatomy of an Attempted Malware Scam 139
Dynamoo writes "Malicious advertisements are getting more and more common as the Bad Guys try to use reputable ad networks to spread malware. Julia Casale-Amorim of Casale Media details the lengths that some fake companies will go to to convince ad networks to take the bait."
127.0.0.1 for Casale (Score:5, Insightful)
They've been on my HOSTS block for years, ever since one of those annoying GIF popups damn near gave me a seizure bouncing in its frame. Have they improved since?
Re: (Score:3, Informative)
Better to use 0.0.0.0 - since it's a real invalid IP, connecting to it fails instantly, while a program trying to connect to 127.0.0.1 will take a while before giving up.
Re: (Score:1, Interesting)
Your firewall is misconfigured. Dropping instead of denying is a shitty default policy.
Re: (Score:2)
but DENY lets the remote know you do exist, where as DROP makes you a black hole. I prefer TARPIT myself, but thats reserved for the throttling rules of things like my ssh blocker, and such.
Re: (Score:2)
Like reminders to not surf so much
Anyway, on one fine April 1st, I configured a webproxy to show the company's logo instead of some ads. I didn't get fired for that, hardly anyone noticed. I think I did save some bandwidth.
Re: (Score:2)
Why can't you just get an account so we can fucking block your whining, retarded drivel?
You may have answered your own question.
Re: (Score:2)
I think it was more of a rhetorical question. Perhaps they know each other in real life and this is how they bro-fist over the internet.
Re:Good Job Scott... apk (Score:5, Informative)
Good post, but for the record...
Using "0.0.0.0" instead of "127.0.0.1" is not more efficient because of size. There's only 2 bytes difference between the two; if your computer has a noticeable speedup just because it's reading 2 bytes less per HOSTS entry, you have way too many entries and probably more important problems.
The speedup, as pointed out by a different reply [slashdot.org] to GP, is because "0.0.0.0" is widely recognized as an invalid IP address, and just about every operating system will immediately fail if you try to connect to it. Using simply "127.0.0.1", the connect call has to go through the local loopback interface, and actually tries a connection, which adds up if you're accessing a lot of places at once (such as on a web page). The problem is even worse when the computer you're on is actually running something on port 80, in which case an actual connection is made, then fails, taking up more time. Or even worse: the connection times out!
Using "0.0.0.0" is good advice; I just wanted to make sure your reasons for using it are valid.
Re: (Score:2)
From my experience, any speedup gained from using 0.0.0.0 instead of 127.0.0.1 would only be detectable by measurement. I've been using a long, custom /etc/hosts file [mvps.org] for many years now. I had one on my 800 MHz, single-core, G3 iBook and there was absolutely no noticeable slowdown--and I even had Apache up and running, serving up a custom 404 so I could see a note whenever it blocked an ad (in an IFRAME; images just came in as broken) and it even logged all 404s because I never bothered to turn logging off.
I'm righter than you (Score:3, Informative)
I've been told it's weird when ACs try so hard. Also futile.
So disregard everything I said, I suck cocks.
APK
Re: (Score:1)
Re: (Score:1)
Re: (Score:3, Informative)
Yes, I am aware that reading more data from the disk is slower. However, I would like to point out that the time it takes to read an additional two (or even eight) sequential bytes off the disk is insignificant compared to the potential time wasted in a timeout.
Using "0.0.0.0" is more efficient, but not because of the primary reason you listed, even if that is a contributing factor. It's like saying that the water is boiling faster because the air is drier, but not mentioning that you turned up the burner.
I
Re: (Score:2)
Dude, get mental help. And no, I am not any of the ACs posting here.
Re: (Score:2)
1.) Learn to count... 6!=8
2.) This particular comment was meant very seriously in an attempt to help you, and not as an attack at all. Please take it under consideration.
Re: (Score:2)
Check the timestamps on the posts for your claim (the actual ones, not the random ones you made up while quoting). And I did apologize for the earlier attack and you claimed to accept my apology. Now you made me _actually_ break my word by replying :(
I am sorry for any offense I have caused you.
Re:Thanks, & see URL @ bottom of this reply (Score:4, Informative)
Yeah, in a file with that many entries, the extra 8 bytes per line would create a large performance hit.
I'm going to agree with the AC in a sibling thread, though: if your HOSTS file is larger than 10MB*, you're doing something with HOSTS it was never meant to do. It may be easier than setting up a proper DNS server, but it's not as efficient.
(I appreciate distributing a HOSTS file is easier than telling people how to setup a DNS server, though.)
I think if you start worrying about efficiency enough to start shaving bytes off of lines, you should consider the efficiency of loading a 10MB file instead of a proper DNS server, which can store this data more efficiently than a plain-text list.
My point stands for sane use cases. In my opinion, what you're doing is an abuse of HOSTS, even if it's a handy abuse.
* 10MB is an estimate. ~10 bytes per line * ~1 million lines
Re: (Score:3, Interesting)
Attacking your abuse of HOSTS files is not an attack on you. Please understand that.
Now for an attack on you: How can you have a degree and yet think it's consistent to say that shaving 2 bytes per line off (going from 127.0.0.1 to 0.0.0.0) cuts a file size down by 9MB but then shaving an additional 6 bytes per line off (0.0.0.0 -> 0) cuts only 4MB?
Now I need to force myself to stop replying to this thread, I feel like I'm being drawn into this sort of situation: http://xkcd.com/386/ [xkcd.com]
Re: (Score:2)
Now I need to force myself to stop replying to this thread, I feel like I'm being drawn into this sort of situation: http://xkcd.com/386/ [xkcd.com]
Agreed. :D
Re: (Score:2)
I'm not sure what about 50% of your rambling there means. The math in my previous comment stands for itself as I'm sure other readers can see. If you care to contest the fact that 2 bytes * x = 9MB and 6 bytes * x = 4MB are fundamentally inconsistent, please do so directly and succinctly (for example by providing a value for x for which both those equations work).
Also, I repeat my assertion that I have not posted as AC in this thread. Those you claim are impersonating you, are not me.
Making a HOSTS file s
Re: (Score:2)
Sorry, one last reply (yes, I'm bad at stopping myself). I will say that me questioning your degree just because of your inconsistent numbers was an uncalled-for attack, and I apologize for that.
I'm Surprized... (Score:5, Insightful)
Re:I'm Surprized... (Score:5, Insightful)
Seriously. The important things they learnt, consolidated in the "6 steps" at the bottom of the article are pure common-sense. Even if they're not concerned about "malvertisements" (ick) they should already have been checking references properly (i.e. using a bank's listed number, not one provided by the "agency" and checking the certificates of incorporation of them and their referees). It's common fucking sense even when you are just trying to establish whether or not to extend a line of credit to them! I wish I could have avoided swearing, but it makes me feel physically sick to think that someone can publically admit to being such a colossal moron and still have a job. Not only that, but to have people thanking her for her insight!! Idiots! How much time was wasted by her, her sales droids, her marketers etc.? Idiots! Using the word "creative" as a noun when referring to banner-ad files? Idiot!! AAAGHHH!
Re:I'm Surprized... (Score:5, Interesting)
I'm also suitably stupefied. All the "pink" and "red" flags that they are obviously so clever to spot, and which she spends almost the entire article talking about, are just her dancing around the elephant in the room: that she and her team are complete fucking idiots.
Part of me wonders if there is a difference in industries which makes this look so damn stupid.
Anyone in IT has probably seen so much malware, so many phishing and scam attempts that there's a strong chance most of us would have checked any company registration numbers with the relevant authorities, checked WHOIS information and contacted the bank directly using one of the banks' own published numbers before even returning the first email. But if you didn't normally meet such rubbish (because the IT department has already filtered out most of the malware, scams and phishing attempts before they even hit your mailbox), I wonder if you'd develop the same level of cynicism?
Re: (Score:3, Insightful)
Some of our clients have forums on their sites. We train them to check the domain info of the user trying to join their forum, compare the IP to oth
Re: (Score:2)
But she did refuse their business in the end. Thus she would have saved money had she checked the bank phone number and therefor dropped them at the very beginning.
Re: (Score:2)
"It's unfortunate that being suspicious is now a prerequisite to being good at what you do on the internet."
Being suspicious is a prerequisite to being good at life.
Re: (Score:2)
I thought that was downright hilarious, just taking numbers off the client's provided reference sheet, calling them, and getting the green light. With absolutely no verification of who was at the other end of the phone. There's absolutely zero point in taking references if you're going to implicitly trust them without any guarantee of who they are. The whole point of a reference is to get facts from a credible source. And all they were using it for is to get facts, completely skipping the "credible sour
Re: (Score:1)
Re: (Score:3, Interesting)
There's a suitably harsh analysis here:
http://industrypace.com/frontpage/2010/8/4/who-can-you-trust-interactive-advertising-is-dangerous.html [industrypace.com]
Re: (Score:3, Informative)
Re: (Score:2)
Pink flag (Score:4, Funny)
Is that close to a fuchsia, because I like totally need a flag like that to match my new outfit.
Re: (Score:1)
Such high standards! (Score:4, Insightful)
I'm comforted to know that Casale Media will pass on obnoxious mortgage refinance advertising from only verified and legitimate predatory lenders!
These checks aren't in place out of any concern for the security of ad viewers. Casale Media here is only concerned that the phantom business will disappear without paying once the botnet is established. Ad networks have demonstrated they don't give a damn so long as they get their cut.
My AdBlock Plus stays on.
Big Surprise (Score:5, Insightful)
And site owners and advertisers wonder why users go to such extremes with Adblock plus and NoScript to block ad's.
If the sites (or ad distributors) can't guarantee the safety of their own sites, then users have to do whatever is necessary to protect their own systems. If that means no advertising income for those sites - tough luck.
Re: (Score:3, Informative)
Not very extreme anymore. I just noticed that with the safari extensions, it is just one click away from the safari extensions gallery from being useful and implemented.
Re:Big Surprise (Score:4, Insightful)
And site owners and advertisers wonder why users go to such extremes with Adblock plus and NoScript to block ad's.
This. I don't mind advertisements, but after I got stung by a drive-by exploit on a work machine (either on Slashdot itself or one of its linked articles), I went straight for Adblock Plus.
I can't remember what the payload was now - something that installed 'XP Antivirus 2010' or whatever (*) - but at the time, only two AV suites could detect it and the company-mandated AV wasn't among these.
(*) Which gleefully detected 'viruses' in several ARM, MIPS and SH3 binaries before I was able to kill it
shame on you (Score:2)
Run your browser from a read-only device, that way you won't ever get stung.
Pendrive [pendrivelinux.com]
Re: (Score:2)
Run your browser from a read-only device, that way you won't ever get stung.
I did the next best thing and installed Xubuntu on an old laptop for browsing. Some of us have to develop on Windows, though. Unfortunately.
Re: (Score:2)
"I got stung by a drive-by exploit on a work machine .. something that installed 'XP Antivirus 2010"
Run your browser from a read-only device, that way you won't ever get stung.
Pendrive [pendrivelinux.com]
You could also just run your browser in a virtual machine and set the write-back to a file that's deleted every restart.
Re: (Score:2)
No kidding. I finally got ABP for Firefox. For a long time I didn't, because I understand sites need ads to be able to provide good content for free. I'm a realist. However, I finally got fed up and loaded it for three reasons:
1) Ads that block off the whole page, or redirect you while surfing and so on. Used to be just Flash shit did that so flashblock did the trick nicely. Not any more, now there's HTML ads that are massive problems. They don't want to show you an ad, they want to stop you from browsing a
Maybe it's me (Score:5, Insightful)
But if a WHOIS lookup on a new customer's domain isn't in your SOP from the get-go, you're strictly amateur hour.
Re: (Score:2, Insightful)
There is a bit of a work around.
The guys who provided a fresh set of domains really were not thinking through all of the angles.
You can easily purchase a dated domain for cheap and with any planning it would be trivial to wind up with a handful of older domains spanning various ages.
However, I do not know if the re-purchase resets the date. Otherwise, a private sale would have to be used.
In the end, these guys are likely hitting multiple sales agencies looking for a catch. While these guys might have not ta
Re: (Score:2, Interesting)
I mean, we have Google. Checking these things must only take another 10 minutes or so...? Nonetheless, can't blame them. 10 minutes adds up across many prospective clients.
Re: (Score:3, Informative)
But.. check the WHOIS for the registration date and valid contact details, check that the registrar isn't someone odd like China or Russia, check to see where the site is hosted, check the other sites on the same server and nearby IP addresses, also check the nameservers and if you are feeling more advanced check the MX handler. DomainTools or Robtex is your friend here.. very often you will find red fla
Re: (Score:1)
That, and accepting the bank phone number provided by the customer.
On the rare occasion my bank phones me, I ask them how I can call back with information I have (on my ATM card, on my statement, in my telephone book). Every single time they have complimented me on that procedure and provided the name and extension number to reach them. (OK, some times they've told me anyone in the call centre can help, and I don't need to talk to the person who called me in the first place.)
If you're verifying something
Re: (Score:2)
Isn't the part of the problem that these "ad networks" and the tangled webs of ad brokers, resellers, agencies, service providers, programmers, designers, etc that result the person offering the ad may well be thrice removed from the ad's actual creator, the company being advertised, etc?
For example, if I'm a small agency that wants to place banner ads, I'm not going to bother trying to place them directly with web sites, I go through a network. Now I may go through a small network that places its ads in
reputable ad networks? (Score:5, Interesting)
Re: (Score:2)
reputable ad networks? What are those? Is he speaking of google ad-sense? or Hulu ads? Personally, I don't consider ad networks that use banner ads as anything that are reputable (this includes any of the shady ad-networks that Google purchased as well). Non-obtrusive text ads, I can deal with. Even Hulu ads, I can deal with since it's film on film. It's just that I hate banner ads, or animated ads, when I'm in reading-mode.
I've noticed more and more ads are finding ways to subtly act like they are a part of the site. Instead of the old crap that pretended to be a Windows window, now it's "Download now" or "Download Torrent Here" or "More about this here". What's even worse are one's that attempt to provide information in the middle of instructive articles misleading you.
It's all a monstrosity. There is nothing I despise more than advertising, it's the reason I stopped watching television years ago and it may yet be the reason
Re: (Score:2)
"Reputable ad networks" is an oxymoron.
Like "trustworthy door-to-door salesman", "truthful infomercial", "respectable telemarketer", or "honest politician".
Even Hulu ads, I can deal with since it's (Score:1)
Don't know about anyone else... (Score:2, Insightful)
However, some of these people may or may not be the desperate, dirt poor, starving, "means-to-an-end" people I portrayed but, take a minute and think of the things you would probably do if there was truly, no
Malicious malverts (Score:2)
Re:Malicious malverts (Score:4, Informative)
Ultimately, how does the end users computer get infected by this `malware'?
The site linked to by the advert includes code that exploits a drive-by install using an unpatched exploit for the user's browser/OS, or uses some form of human engineering to get them to install it (i.e. like the many many "your machine is infected, follow these instructions to fix this" things that are seen out there).
At least one ad network I've seen seems to allow advertises to include custom javascript in their adverts, either that or the advertisers have found a way around the filtering the ad network does on the content, at which point such unpatched flaws can be exploited without the user needing to click the ad at all.
You lost me at "reputable ad networks" (Score:5, Insightful)
In so many words others have expressed what I have summarized down to "advertisers don't respect their audience." Their approach has almost always been the capitalist "what the market will bear" approach and as people have grown accustomed to being assaulted with ever more eye-catching colors, styles, techniques and technologies, the limits of what the market will bear erode. People no longer realize they are being disrespected. Their paid-for internet connection are being utilized. Their time is being wasted. They will install software that resists being uninstalled and drains performance and stability from their computers. I see no end to what they will do.
There is a blurry and indistinguishable line between "reputable ad networks" and "the bad guys." The reputable are certainly not constrained by morals and not by law. How can we know they aren't simply being complicit?
Re: (Score:2)
Most consumers pay a fixed fee for their connection and rarely use 50% of it's throughput. For these people ads are not taxing enough to be considered abusive even if the ads are being served partly on their dime. It's like TV or radio to them. Unmetered access so no opportunity cost.
Re: (Score:2)
If I have 20 acres of land and someone decides they want to post a sign advertising their crap on an unused portion of my land, it is actionable. It does not matter that I do not use it. It's mine, not theirs. It is a form of trespass.
The same goes for any medium or service I pay for. Look at cable/satellite TV. I don't pay for it and never have. (I don't watch it any longer either because my cable guy wouldn't take a bribe the last go around.) I don't pay for anything to provide ad space for someone
Re: (Score:3, Interesting)
In so many words others have expressed what I have summarized down to "advertisers don't respect their audience." Their approach has almost always been the capitalist "what the market will bear" approach and as people have grown accustomed to being assaulted with ever more eye-catching colors, styles, techniques and technologies, the limits of what the market will bear erode. People no longer realize they are being disrespected. Their paid-for internet connection are being utilized. Their time is being wasted. They will install software that resists being uninstalled and drains performance and stability from their computers. I see no end to what they will do.
There is a blurry and indistinguishable line between "reputable ad networks" and "the bad guys." The reputable are certainly not constrained by morals and not by law. How can we know they aren't simply being complicit?
They're disrespectful and idiots. What "targeted advertising" gets is showing people what they already have. I play EVE Online. I look up stuff on EVE Online. Going by my cookies and such, advertisers know I play EVE Online. So, what is advertised to me? To try EVE Online. They succeed in nothing.
Re: (Score:1)
I am not a customer of the advertisers. I (and my family) are a resource or commodity they don't have to pay for but are selling to other people. They only care about me insofar as my shrieks of pain at being abused don't cause the advertising customers (clients) to stop buying advertising from them, or the web hosting sites from selling space to them.
There are so many advertising agencies - all trying to harvest money from their clients - all chasing each other to the bottom of the gutter.
Given the
Do something about pages that wont load noscript'd (Score:4, Insightful)
There are plenty of pages where the site just will not load unless you give permission to run layers and layers of 3rd,4th,5th party scripts. What can we do as consumers or developers to prevent such behavior on the part of websites?
Re:Do something about pages that wont load noscrip (Score:5, Insightful)
Install User Agent Switcher and browse as Google.
nobody blows off Google.
I have not tried that, but would it work? (Score:2)
I mean, the browser is hanging on approval to run the script. If I run the script, I take the risks. If I dont run the script, then the content stops loading.
Re: (Score:2)
nobody blows off Google.
But lots of people blow off Bing.
Re: (Score:2)
Take your business elsewhere.
Re: (Score:2)
I see those from time to time. I just google whatever topic I was wanting information on and go top one of those sites instead.
Sites that require all that crap to be even vaguely useful far too often prove that sufficiently advanced incompetence is indistinguishable from malice.
"reputable ad network"... (Score:2)
...is an oxymoron.
From TFA (Score:2)
"During our investigation we discovered the phone number provided in the credit application was not a legit phone number for the bank. We also learned that the domains of each of the references provided were registered within two days of each other... and that the registrations took place only days before Bellas Interactive's request for credit was issued - despite the fact that the references "claimed" to be working with Bellas across a 6-24 month spread. And finally, the Bellas Interactive website claimed
Seems to me she's doing the same thing... (Score:1)
Re: (Score:2)
God says... Whereas Into killed understand Old initiated credibility Madness increase feet approve helper convict closing harmed twice perisheth triumpheth Apostolic
I block tons of spam that have Subjects that are a lot like that ... but they have wavy images of pills attached. ;-)