Spyware Sucks
“There is no magic fairy dust protecting Macs" – Dai Zovi, author of “The Mac Hacker’s Handbook"

Uh oh – malvertizing via ICQ

January 26th 2011 in Uncategorized

I think it is worthwhile to make some observations about comments/assumptions in the two articles I have seen so far about the ICQ incident.

First, the securelist.com article:

“The interesting thing about these cases is that the users were getting fake anti-virus browser pop ups while not actively using the computer. During our research we noticed that these pop-ups would appear right when ICQ was fetching/displaying new ads.” … Malvertizing pop-ups virtually always occur without user interaction and, yes, even when the users are not “actively using the computer”.  Eg: who remembers the Windows Live Messenger malverts that happened back in February 2007?


“Going by the added iframe, it looks like this store’s ad server was hacked, right? Not quite. I did some digging around and found that none of these servers – other than charlotterusse.com – are actually related to this brand of clothing.” … Interesting theory – I personally haven’t heard of a rogue advertiser claiming that their servers have been hacked but, who knows, it may have happened.


“This means that somebody went through the trouble of pretending to be this store. This is done to make sure the ad distributor will actually run the campaign, as these distributors frequently get approached by fraudsters.” … Or they were pretending to *represent* Charlotte Russe and that they were authorized to sell advertising on their behalf.  It’s not a foregone conclusion that whoever sold the malvert was pretending to be Charlotte Russe itself but, again, either scenario is possible.  For what it’s worth, the impersonation of legitimate businesses is standard modus operandi and has been for a long time.


“However, what makes this case particularly interesting is that the bad guys make it seem like their server got hacked. By making it look like their server got compromised, the criminals can claim it isn’t them who’s responsible for distributing the malware. But rather someone else who hacked their server to spread malware. The ad distributor is very likely to simply give them a warning, which gives these criminals at least one more shot at infecting more machines.” … I think “the bad guys make it seem like their server got hacked” is a matter of personal perception.  Again, it is not a proffered excuse that I have personally encountered.  Even if they did so claim, the fact that the page was hosted on “[snip]charlotterusse.eu”, which is not a legitimate Charlotte Russe domain, puts an end to the effectiveness of *that* excuse.


Elinor Mills of CNET writes:

“The attack also does not appear to have an exploit included in it; just the social-engineering aspect in which the user is lured into downloading supposed antivirus protection that is totally unnecessary, he added.”  … Yes there is bad stuff out there that tries to use security exploits to infect systems, but that being said it’s not unusual for malvertizing to *not* try to use a security exploit and simply use social engineering tactics.  All bets are off once you download and install that “antivirus protection”.  Who knows what that software may do (and what may happen to your credit card details if you hand them over).


“"They put in quite a lot of effort to seem legitimate," he said.” … Nothing unusual there.  The bad guys have been upping the ante in that regard for as long as we have been reporting on their activities.

"Attacking yieldmanager successfully and having fake anti-virus in the ICQ ads…is something that is very high level and hard to achieve."” … Sadly, it is not that difficult to achieve as we have seen over and over again – for example, consider the adshufffle.com incident from not long ago – how many of you immediately noticed the triple F in adshufffle.com? Not many of you I’m betting – and that is all it takes to trick you.

Also, rather than assuming that yieldmanager was “successfully attacked”, ask yourself who accepted the advertisement.  Was it ICQ themselves?  If so, it was not “yieldmanager” that was attacked successfully, but rather whoever it was that accepted the advertising.  ICQ does, after all, solicit for advertisers.

Comments are closed.

Treat this domain with extreme caution please… tbwaagency.com ICANN Registrar: Melbourne IT DBA Internet Names Worldwide Registered 14 November 2010 IP: – Yahoo Registrant: John Mcneel   tbwaagency.com claims to be "TBWA Worldwide, Division of Omnicom Group", but according to […]

Previous Entry

The FTC announced today that Marc D’Souza and Maurice D’Souza will hand over $8.2 million in ill-gotten gains which is pretty much the entirety of money that they made from the scareware schemes that they participated in, or benefited from, years ago.  The money will be used to reimburse victims of the scam. […]

Next Entry