Malvertising On Blogspot: Scams, Adult Content and Exploit Kits

Posted on

We don’t really hear about it that much, but malvertising can and does target free blogging platforms as well. Just this morning, our friends at Virus Bulletin Martijn Grooten and Adrian Luca wrote about some sites hosted on Google’s Blogspot service pushing tech support scams.

We also caught some malicious activity on the Blogger platform this past week via the PLYmedia ad network. Some Blogspot websites clearly abuse the platform and stuff ads everywhere, leaving little to wonder about what could possibly go wrong?

blogger_ads

Adult material

When browsing that Blogspot site, we were automatically redirected to an adult page, which is definitely not good if you have kids around.

match99

Angler Exploit kit

There were also some redirections to the Angler exploit kit via fake advertisers using the fingerprinting technique.

  • Ad network: wafra.adk2x.com/ul_cb/imp?p=70368645&size=300×250&ct=html&ap=1300&u=http%3A%2F%2Fzcdnz.blogspot.com%2F2016%2F04%2Ffut-azteca13.html&r=http%3A%2F%2Fzcdnz.blogspot.com%2F2016%2F04%2Ffut-azteca13.html&iss=0&f=1
  • Rogue ad server: advertising.servometer.com/pagead/re136646/ad.jsp?click=%2F%2Fwafra.adk2x.com%2{redacted}
  • Google Open Referer: bid.g.doubleclick.net/xbbe/creative/click?r1=http%3A%2F%2Fstewelskoensinkeike.loanreview24.com%2FScKOygTMtj_rlf_qIEgRYCq.aspx
  • Angler EK landing: stewelskoensinkeike.loanreview24.com/?k=pREU&o=gQ1U2eo&f=&t=MHl&b=O83rsW&g=&n=9rYB42&h=&j=aCYeE9iDym_Ao_T25Uhszm

rogue_ad

We have alerted Google about this issue and contacted PLYmedia to let them know about that rogue advertiser.

Source:https://blog.malwarebytes.org

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s