Forum Thread

Malware in your Advertisements 12/12/15 at 1:37PM EST

Oakenfold 6 13 December 12, 2015 at 10:43 AM
Was on the following URL:
http://slickdeals.net/f/8329003-target-has-apple-ipad-pro-starting-at-645-19-plus-tax?page=2&src=SiteSearchV2#commentsBox

Observed a redirect that eventually ended at the following site (please note I've intentionally broken this URL to prevent people from browsing to this site:

[url]phaaccounty-taxes.net/d8bb63fc1546b901fad4be3652c3aeb3.html

Of course there was an attempt to download an .exe from the code on this page.

For quite a while now Slickdeals has been having some serious redirect issues (especially in Safari).

Please fix these issues, let your advertiser know this is unacceptable and you will find another advertiser.

22 Comments

1 2

Sign up for a Slickdeals account to remove this ad.

Joined Jun 2004
vec vec bo berra
30,536 Posts
3,268 Reputation
Global Mod
#2
Any user who experiences this issue should run a malware scan on the computer that this is occurring on. This is usually an indication of an infection on the computer.

I did run a scan of Slickdeals and nothing was reported.
Reply Helpful Comment? 0 0
Last edited by vec December 12, 2015 at 10:55 AM
Joined Nov 2013
New User
6 Posts
13 Reputation
Original Poster
#3
Mod,
Please see Virustotal.

https://www.virustotal.com/en/url...449948052/

This site has a 3/66 positive confirmation.

Virustotal is used in the Information Security Community as a strong indicator of compromise.

While I agree the chance is always there of infection on the local machine I don't believe this to be the case.

The advertisements hosted on your site constantly rotate out, it's not going to be the same with every page load.

The advertisement loads, is presented to the user browser and redirects from Slickdeals to the site with the Malware payload.

Googling "Malvertising" will help explain what's going on with Slickdeals.
Reply Helpful Comment? 0 0
Joined Jun 2004
vec vec bo berra
30,536 Posts
3,268 Reputation
Global Mod
#4
Quote from Oakenfold View Post :
Mod,
Please see Virustotal.

https://www.virustotal.com/en/url...449948052/

This site has a 3/66 positive confirmation.

Virustotal is used in the Information Security Community as a strong indicator of compromise.

While I agree the chance is always there of infection on the local machine I don't believe this to be the case.

The advertisements hosted on your site constantly rotate out, it's not going to be the same with every page load.

The advertisement loads, is presented to the user browser and redirects from Slickdeals to the site with the Malware payload.

Googling "Malvertising" will help explain what's going on with Slickdeals.
The URL scanned for that report was not Slickdeals. It was phaaccounty-taxes.

When scanning our website with the service referenced by you I get 0/66: Report [virustotal.com]
Reply Helpful Comment? 0 0
Joined Nov 2013
New User
6 Posts
13 Reputation
Original Poster
#5
I understand that. I'm telling you that Slickdeals is redirecting to that site more than likely through your advertisements.

"Malvertising involves injecting malicious or malware-laden advertisements into legitimate online advertising networks and webpages.[2] Online advertisements provide a solid platform for spreading malware because significant effort is put into them in order to attract users and sell or advertise the product.[3] Because advertising content can be inserted into high-profile and reputable websites, malvertising provides malefactors an opportunity to push their attacks to web users who might not otherwise see the ads, due to firewalls, more safety precautions, or the like.[4][5] Malvertising is "attractive to attackers because they 'can be easily spread across a large number of legitimate websites without directly compromising those websites'." [6]

Malvertising is a fairly new concept for spreading malware and is even harder to combat because it can work its way into a webpage and spread through a system unknowingly: "The interesting thing about infections delivered through malvertising is that it does not require any user action (like clicking) to compromise the system and it does not exploit any vulnerabilities on the website or the server it is hosted from... infections delivered through malvertising silently travel through Web page advertisements." [7] It is able to expose millions of users to malware, even the most cautious, and is growing rapidly: "In 2012, it was estimated nearly 10 billion ad impressions were compromised by malvertising." [2] Attackers have a very wide reach and are able to deliver these attacks easily through advertisement networks. Companies and websites have had difficulty diminishing the number of malvertising attacks, which "suggests that this attack vector isn’t likely to disappear soon." [6]"

https://en.wikipedia.org/wiki/Malvertising
Reply Helpful Comment? 0 0
Joined May 2006
Keeper of the Trophy
89,143 Posts
9,359 Reputation
#6
I got the same thing earlier today, WTF SD? This was using FF42 on a windows machine. This is 100% a redirect from a SD ad (or ad over). Was in Sweeps forum when this occurred around 11:30 CST

Seems different redirected to url with same stuff, can't find the same web address in my history...after looking. So payload site for virus is on different portals...
Reply Helpful Comment? 0 0
Last edited by implode December 12, 2015 at 03:30 PM
Joined Jul 2013
L2: Beginner
96 Posts
38 Reputation
Web Dev
#7
Thank you Oakenfold for the heads up!

We certainly understand that it is possible for our 3rd party partners to let bad actors through and affect our users.

We will let our ad team know about this one. I want to encourage our community to always let us know when this happens. We take this very seriously. In many cases we do remove advertisers from our program if we find that they can't control the problem.
Reply Helpful Comment? 1 0
Last edited by Kap December 13, 2015 at 06:51 AM
Joined Nov 2013
New User
6 Posts
13 Reputation
Original Poster
#8
Thank you Kap for the follow-up and the follow-through!

Kudos to SD for taking this seriously!
Reply Helpful Comment? 1 0

Sign up for a Slickdeals account to remove this ad.

#9
Hi, I was browsing the Slickdeals Hot Deals forum today and was suddenly redirected automatically to the the same fake Firefox update malware page, but this time, the webpage is [url]thitueasyexport(dot)net/e85db2ef3695df180e73da742c0ab0f5.html. I did a lot of research to see if my computer was infected and found evidence that it is the Slickdeals website that is the problem. I recently clean installed my computer and didn't install anything yet and this discussion forum http://www.bleepingcomputer.com/f...ter/page-3 led me to this helpful thread. I just want to give another report of encountering the same dangerous misleading malware on Slickdeals. Hopefully, this urgent issue can be fixed soon before anyone's computer gets infected and hacked really badly.
Reply Helpful Comment? 0 0
#10
Quote from InFor3 View Post :
Hi, I was browsing the Slickdeals Hot Deals forum today and was suddenly redirected automatically to the the same fake Firefox update malware page, but this time, the webpage is [url]thitueasyexport(dot)net/e85db2ef3695df180e73da742c0ab0f5.html. I did a lot of research to see if my computer was infected and found evidence that it is the Slickdeals website that is the problem. I recently clean installed my computer and didn't install anything yet and this discussion forum http://www.bleepingcomputer.com/f...ter/page-3 led me to this helpful thread. I just want to give another report of encountering the same dangerous misleading malware on Slickdeals. Hopefully, this urgent issue can be fixed soon before anyone's computer gets infected and hacked really badly.
I got the same thing today with redirect to a firefox security scanning and it wanting me to download something from thitueasyexport. I have been getting a lot more of redirects or malware type adds from slickdeals lately. I enjoy the site a lot, but you guys really have to check your adds out really well because a lot of people would think that it is real and download something that can be really nasty.
Reply Helpful Comment? 0 0
Joined May 2006
Keeper of the Trophy
89,143 Posts
9,359 Reputation
#11
Fix your freaking website...

Left this thread sitting, while I visited the site to enter---and it redirected to:
Click image for larger version

Name:	SD_Virus.jpg
Views:	46
Size:	170.3 KB
ID:	3894739

This is third VIRUS redirect from SD in last week, and is totally unacceptable. Mad

Happened with FF 43.0.1 at ~10:50 CST
Reply Helpful Comment? 0 0
Last edited by implode December 20, 2015 at 09:02 AM
#12
I wrote a script that stops uninitiated redirects for this exact reason. My motivation was the exact same problem you have, regarding the exact same ad box but, on a different site. Read my last post in the link for my code.

http://quakeone.com/forums/quake-talk/chat-o-rama/11922-virus-heads-up.html

MadGypsy
Reply Helpful Comment? 0 0
Joined May 2006
Keeper of the Trophy
89,143 Posts
9,359 Reputation
#13
Quote from MichaelG7328 View Post :
I wrote a script that stops uninitiated redirects for this exact reason. My motivation was the exact same problem you have, regarding the exact same ad box but, on a different site. Read my last post in the link for my code.

http://quakeone.com/forums/quake-...ds-up.html

MadGypsy
Interesting solution, thanks for joining SD to try and help.
Reply Helpful Comment? 0 0
#14
You're welcome. If you use my script or use it as a starting point I hope it performs well and keeps your users safe.

Under the conditions which I tested it it worked rock solid. I have no way to know how solid it would be in real world application. There is a lot going on with those ad frames. In theory, my script should crush the auto-redirect.

update:
I turned the whole thing into a jquery plugin and uploaded my test src to my website. You can download all versions (min,reg,verbose ) at the following url as-well-as play with my test src.

http://onemadgypsy.com/gyp_nar/
Reply Helpful Comment? 0 0
Last edited by MichaelG7328 December 22, 2015 at 07:40 PM
#15
getting the same warning, seriously SD fix your site!
Reply Helpful Comment? 0 0
Page 1 of 2
1 2
Join the Conversation
Add a Comment
 
Copyright 1999 - 2016. Slickdeals, LLC. All Rights Reserved. Copyright / Infringement Policy  •  Privacy Policy  •  Terms of Service  •  Acceptable Use Policy (Rules)  •  Interest-Based Ads
Link Copied to Clipboard