DailyMotion, a highly prominent video-sharing website is in the middle of a malvertising attack where ads served on its platform are sending users to a fake AV scam. DailyMotion is still holding such ads at the time of posting this article. The site is currently visited by 17 million viewers monthly and has an Alexa ranking of 95.
Earlier this week, another such attack was reported on Yahoo sites in Europe where malware ads were dropping an iframe redirecting users to websites that were hosting Magnitude exploit kit. The users were further treated to financial malware through this kit.
Security firm Invincea reported the issue quoting that these ads were redirecting users to a third-party domain located in Poland. (webantivirusprorh.pl 184.108.40.206)
Out of a total of 47 antivirus products, 10 detected the threat according to VirusTotal. Many of these antivirus products detect it as another version of Graftor Trojan. According to Invincea, the domain engine.adzerk.net initially loads the redirection.
On landing at DailyMotion, an invisible iframe redirects the user to an AV scam warning the viewer to clean a critical process which might otherwise cause drastic system damage. A dialog box is then shown asking the user to run a malicious executable to clean the computer instantly and the system gets immediately infected if he agrees.
Such fake scams have been prevalent on the net for quite a while now. Users are conned to believe that these executables are security softwares and not malwares of any sort. Additionally, they are informed to buy and order a subscription to clean their computers of these non-existent infections. Ransomware infections, which are other common kinds of scams employ much more severe tricks to install malware. A few of them lock a user’s computer telling them that legal agencies have taken hold of their machines and they now need to pay to get them unlocked and be usable again.
Between December 30 and earlier this week, Yahoo had already served infections at a rate of 27,000 infected machines per hour. But they have now removed the ads from Romania, Great Britain and France. The attack on Yahoo initiated from two domains registered on New Year’s day which redirected users to Magnitude Exploit Kit. According to Dutch security firm Fox-IT, this kit is capable of targeting Java flaws. It has the ability to install a large number of potentially fatal Trojans like Zeus, Dorkbot, Necurs along with click-fraud malware.