Spyware Sucks
“There is no magic fairy dust protecting Macs" – Dai Zovi, author of “The Mac Hacker’s Handbook"

Hotmail and malicious banner advertisements?

November 29th 2007 in Uncategorized

Important note: These reports are unconfirmed.


A person has posted a comment to my blog warning that they experienced a redirect while using Hotmail aka Windows Live Mail – you can read the comment here:
http://msmvps.com/blogs/spywaresucks/archive/2007/11/08/1287908.aspx#1369705


Earlier this month I spotted a similar complaint affecting MSN Groups:
http://groups.msn.com/ArtifactsofMars/general.msnw?action=get_message&mview=1&ID_Message=568


I’ve notified the appropriate parties about both of these reports, but am interested to know if any more of my readers have seen, or heard of, such problems in recent times.  If you have done so, please contact me or post a comment.  It will be very helpful if you could also tell me on what date(s) the redirct happened, and what country you are in.  It would be even better if you can record evidence using Fiddler or Fiddlercap.


The advertising network used by MSN has been infiltrated in the past. Those who have been reading my blog for a long time will remember the outbreak that hit Windows Live Messenger, Hotmail and MSN Groups back in February this year.


 


5 comments to...
“Hotmail and malicious banner advertisements?”

Barry
wrote on November 29th, 2007      

Whether this is true or not, the sheer fact that it’s *possible* has a big take-home message: you *cannot* outsource your advertising, especially not to a firm that outsources what they provide to you. It may be cheaper in the short run to simply trust what the next company down the line is providing to you, and then pass that on to your client, but just wait until the lawsuits start flying.

This may make things more difficult for small websites, but hopefully the concept of “buck stops here” advertising services will emerge, where an advertising service promises to personally inspect and approve every ad they serve.



sandi
wrote on November 29th, 2007      

Hi Barry,

You make a good point, and I have the said thing myself many times, but as was demonstrated by the Sensis incident, also reported on this blog, sometimes you can be caught out even if you host the advertisements on your own server.

Such is the nature of the beast; the malicous advertisements are coded in such a way as to try and avoid detection by the victim web sites and their advertising networks.

It is not sufficient to simply run the ad to see if it does anything; nowadays the creatives must be decompiled and the code checked for suspicious content – a skill that the advertising networks and web site staff may lack.

Best wishes,

Sandi &c.



One Surprised Guy
wrote on November 30th, 2007      

I just signed into hotmail and this happened to me (a MalwareAlarm redirect), much to my surprise. I run a clean, fully patched computer as far as I know, and I’m fairly certain that I don’t have any malicious software on my machine that assisted in this redirect.

The page it directed me to was quite sophisticated. After cancelling the attempt to install an ActiveX control, it began very realistically simulating a virus scan over hundreds of real-looking filenames and finding four or five “infections” in my computer with real-looking virus names. The “scan completed” dialog even grayed out the “scanner” background. This was slick and professional, much moreso than most clumsy attempts I see. If I were somebody’s grandmama I’d be pretty convinced.

When I left the page, it threw up another dialog box reminding me that my computer was still infected and that I could only be saved by installing their tool.

Bad news; other users should watch out.



sandi
wrote on November 30th, 2007      

Ok, guys, I need proof. Please download and install Fiddler or Fiddlercap, delete all cookies, temporary internet files and your Flash Cache as per instructions to the left of screen in the “News” section of this blog, and contact me if you manage to record a redirect at Hotmail.

We’ve been able to clean things up before, we can do it again.

Thanks!

Sandi &c.



sandi
wrote on November 30th, 2007      

Ok, guys, I need proof. Please download and install Fiddler or Fiddlercap, delete all cookies, temporary internet files and your Flash Cache as per instructions to the left of screen in the “News” section of this blog, and contact me if you manage to record a redirect at Hotmail.

We’ve been able to clean things up before, we can do it again.

Thanks!

Sandi &c.


The FBI’s Operation Botnet is starting to bite.  According to today’s Press Release, just some of the people charged include:

James C. Brewer of Arlington, Texas, is alleged to have operated a botnet that infected Chicago area hospitals. This botnet infected tens of thousands of computers worldwide. (FBI Chicago);

Jason Michael Downey of Covington, Kentucky, is […]

Previous Entry

You may recall that Alex Eckelberry alerted us to a massive seeding of Google and other Web searches with malicious web sites.  Google and the other sites, to their credit, certainly cleaned things up very quickly, and the incident quickly hit the popular press.
Sadly, it seems that Google, although they reacted quickly to the last […]

Next Entry

Archives