Spyware Sucks
“There is no magic fairy dust protecting Macs" – Dai Zovi, author of “The Mac Hacker’s Handbook"

MLB.COM users hijacked and redirected to pornographic web site, complete with graphic videos – DOUBLECLICK involved

December 30th 2007 in Uncategorized

Over the Christmas break I have received reports of malicious banner advertisements hitting espn.com, Lycos mail and usatoday.com, as well as smaller sites such as adrants.com, marketingvox.com, minnesparare.com, all of which I am investigating.

The above reports are bad enough, but by far the most worrying report that I received was the one alleging that visitors to MLB.COM were being redirected to a pornographic web site – of course, this one is going to get my immediate attention. 

Sadly, I can confirm that this hijack is occurring – a quick analysis of what is happening is as follows.

Let’s work backwards from the end pornographic site, and trace our steps back to MLB.COM.

The target pornographic site is (URL mangled for obvious reasons):
hq tube . com

The referrer for hq tube . com was:
ad.doubleclick.net/1674952/mlb_chanel.swf?clickTag=http%3A//ad.doubleclick.net/click%253Bh%3Dv8/3639/3/0/%252a/p%253B167905078%253B0-
0%253B0%253B5683346%253B4307-300/250%253B24079572/24097425/1%253B%253B%257Eaopt%253D3/1/ff/0%253B%257Esscs%253D%253fhttp%3A//
chanel.com/wfj-global/en-us/index.php%3Ffullscreen%3D1%26x%3D-4%26y%3D-4%26width%3D1288%26height%3D778

 image
(Thanks Kimberley for the screenshot of the SWF in question)

Each and every attempt to load the URL above immediately redirects me to the pornographic site.  If we clean things up even further and simply load the URL ad.doubleclick.net/1674952/mlb_channel.swf? I am still redirected to the pornographic site.

We step back one further – the referrer for the doubleclick URL is:
mlb.mlb.com/news/article.jsp?ymd=20071219&content_id=2333449&vkey=news_mlb&fext=.jsp&c_id=mlb

Ok, so now we have evidence that the malicious advertisement is ad.doubleclick.net/1674952/mlb_channel.swf, and that it is being displayed on the MLB.COM web site. As always, a Fiddler capture (in fact several captures) are available to the appropriate authorities, as well as authorized representatives of MLB.COM and Doubleclick.  I also have a video capture of the redirect in AVI format.

The first appearance of Doubleclick ID 1674952 is this URL:
ad.doubleclick.net/adi/mlb.mlb/homepage;;pos=1;sz=300×250;tile=1;ord=274715194

Whatever you do, don’t try to load that URL as it appears above – it will send your web browser into an uncontrollable loop of new windows being opened.  I had to pull the plug on internet access and wait several minutes for the test system to stabilisz before I could close the browser windows and continue my investigation.

So, let’s clean up the above URL so that it can be loaded safely, and have a look at this URL:
ad.doubleclick.net/adi/mlb.mlb/274715194

As you will see, there are several different advertisements that appear in rotation.  So, which one is the culprit?  That is not something that I can answer, but I can promise you that I will be passing this information on to people far brainier than me.

This is a very frightening development.  The fact that fraudware such as winfixer and its ilk is using malicious coded banner advertisements to hijack visitors to legitimate sites is bad enough – now that the porn pushers are getting involved surely it will force the advertising industry to act – not to mention the governmental authorities that are going to be extremely concerned that anybody, no matter what their age, may be involuntarily exposed to hard core pornography.

Watch this space for developments.  Below are screenshots that capture the fact of the redirect – you’ll see that mlb.com content is still being displayed, but that we’ve been redirected to the porn site, which is in the midst of being loaded.  Note the addressbar URL, the title of the tab, and the status bar information “waiting for http://…”

Doubleclick and MLB are being contacted.

malware

malware2


Comments are closed.

It’s Christmas Eve and my holiday break is about to begin.  We (myself, my long-suffering hubby, and our two teenage offspring who, by the way, insist that at 16 and 18 years of age they are not too old to have a Christmas Stocking at the end of the bed) have the pleasure of the company […]

Previous Entry

Don’t click on the link! A quick-n-dirty check is to hover your mouse cursor over a link in an email to reveal what it *really* points to. The first 3 links (with ticks beside them) point to a legitimate site, it is only the “pick up” link that is dangerous…

Next Entry

Archives