Tainted banner ads are being served up onto the Daily Mail's website. We passed on a reader tip about a possible infection on DailyMail.co.uk to anti-virus firm Sophos, which confirmed that script served up through the site was redirecting surfers to a server linked to the spread of the strain of the Mario family of worms. The …
To be honest ...
... anyone visiting DailyMail.co.uk deserves all the malware they come across.
I, as an end user, have protected myself from this common attack by blocking all adverts, not using IE, and avoiding the Daily Mail. Is that enough?
Will "Middle England" rise up against this abomination?
Na, they will be too busy firing missives about taste and decency, immigration and keeping the anti-BBC shit stirring going to notice that their PC might be on a zombie botnet.
"which we won't name in case people are tempted to visit it"
And the nanny state arrives on El Reg. D:
Who do you think you're talking to?
"a malware-harbouring website located in Russia (which we won't name in case people are tempted to visit it)"
How cute. Given the (alleged) target audience here, maybe giving the address with a "warning, lusers stay away" would have been more appropriate. I for one do like to know in advance the threat I may have to remove from my lusers' machines. And which servers I need to block at the gateway.
...now I've got the song stuck in my head. Assholes.
-Script and -surfodailymailwebsite = no risk.
I actually love the quote stating that the onus is on the 3rd party; here's my reputation in the toilet because I trusted them and relied upon them to fix the problem.
It must've been the fucking foreigners again?
Paris - because even she'd have control on the 3rd party ads on her website.
More bad news
The malware attack seems to have extended to the paper itself.
Users reading the newspaper further than the pull out centre quiz section (you know the bit of the paper without the hate and superficial analysis) will be subject to a series of "adverts".
Anyone unfortunate enough to call the numbers or send away to the addresses will be redirected to a site of unknown origin.
After deducting sums such as £29.99, £49.95 or even £109.95 from the mark's account he or she will then be subject to a barrage of Heated Lawn Spiking Slippers, Royal Dulton Posable Kitten Figurines, PVC Double Glazed Feng Shuie Step In Baths or in the worst case the Daily Mail Mac Cartoons Year Book.
The aim is to turn the recipient and family into zombies with the sole purpose of calling dial-in talk shows to spout irrational, meaningless but heartfelt drivel.
Oh and the joke?
How do you confuse a Daily Mail reader?
Tell them asylum seekers are the natural predators of paedophiles
[pirated joke sorry... AC because my colleagues read the DM]
Mr Not-a-Cluley says,...
"It's the advertiser's problem and our user's problem but not our problem. After all, we only own and run the site!"
"Websites shouldn't be expected to check all adverts they serve up, it's not practical. The third-party ad network is more responsible for checking advertising links," Cluley told El Reg.
Well Cluley should get a fucking clue. Outsourcing part of your product doesn't mean you're not responsible for it helping fund paedo scum, swan-roasting Albanians, single-mums, dole-scrounging "illegal" asylum seekers, trrsts and climate sceptics.
Not a surprise
Unpleasant side-effects from the Daily Mail? Being prone to become indignant chest-beating book-burning immigrant-hounding racist/sexist/risibly childish anti-scientific with a fairy tale fixation not enough? Malware for IEtards is just adding insult to injury.
Soar, Crash, Plunge.
And think what this will do to House Prices In Your Area.
How to confuse a Daily Mail reader....
I'm reminded of the old joke:
Q: How do you confuse a Daily Mail reader?
A: Tell him that the immigrants kill the paedophiles
@Steen Hive, Responsibility
Cluley goes on to say:
"Until the Daily Mail is confident everything is clean they need to stop serving up ads through that network. It may be that they will choose not to use the network again."
The DM can't check beforehand, but they can stop using that ad feed until they have got a very strong assurance that the ad network has cleaned up.
Not just the Daily Mail
Same exact attack has taken place in the past few days on money.excite.com, excite.com, and excite.co.uk. The poisoned banner ads in those cases were served up from ar.atwola.com, and likewise redirected to hostile servers attempting to drop this malware.
Goes to show
It was those damn Russian Muslim Leftie commies again!! Eroding the fabric of Britishness while coming over here, stealing our jobs and claiming benefits!!!!! (extra exclaimation marks for consistency) I bet they kidnapped Maddie and are working for Gordon Brown too!
Now listen, I hate the Daily Mail as much as the next man but I think Cluley is correct - it is the responsibility of ad providers to ensure they are not serving malware to their clients. And, as he pointed out, it is the responsibility of the of webmasters not to do business with ad suppliers who can't manage this. This has nothing to do with the Daily Mail and their competence or otherwise in the IT field, it's a universal aspect of Internet security.
...won't somebody PLEASE think of the Children!
I'd have thought it was obvious.
Pepole visiting the daily mail website will be exposed to the daily mail. This is significantly worse than any malware.
Who should have found the infection?
@Anonymous coward and @Steen Hive
I do believe it is impractical for the millions of websites out there to check every advertising link served up to them by a third party advertising company to check if it is legitimate. Can you imagine the resources required to do that? Sure, it would be nice if it happened - but is it realistic to expect it?
Didn't The Register itself serve up a malicious banner advert four years ago? As I recall, they responded the right way (as I would hope the Daily Mail would do) by pulling the ads and presumably asking tough questions and perhaps breaking the relationship with the advertising network.
The ad networks need to do a much better job of weeding out the malicious adverts - this is not necessarily easy to do of course.
The addition point I made to The Register, but which got left out of the report I think, is that everyone browsing the web needs to defend themselves. Many websites deliver ads via third parties, and most are not checking them for malicious links. If you have a decent anti-virus solution on your computer then that can help reduce the threat to you.
They might infect your computer but at least they didn't support the Nazis in the 30's.
Google Site Advisory - is it excessive?
I wonder what people think about all of this. The fact that people attack advertising networks is nothing new and advertising networks need to be on their guard about this.
However when I first saw (what I think was this) I got a message from Google Safe Browsing http://google.com/safebrowsing/diagnostic?tpl=safari&site=188.8.131.52&hl=en-us the message in Google Crome and Safari blocks access to the site and is "quite" negative to non sophisticated user.
In this case the site was dangerous one day in the last 90 and yet if anyone trys to load something off that site it puts up this message (rather than say loading the page WITHOUT the content from that page and putting up a pop up warning).
It always strikes me that this kind of thing makes new people fear the internet where it should be making people understand the risks and stopping them being attacked. This makes the risk appear much worse than it is and so doesn't help the situation. In addition for those that know there really isn't enough information to diagnose the true cause of the error when it is delivered via an advertising network.
Ban this sick filth!
@AC's Not-a-Cluely comment
You appear to have missed that Mr Cluley works for Sophos. He made a general comment that 3rd party ad serving companies should be careful how they serve their content. He's not someone from the Daily Mail saying "not our fault guv".
You also appear to have missed that he stated the DM would be well advised to stop serving ads from that provider until the issue is resolved.
@ the all-DM-readers-deserve-to-die-posters... Why not demonstrate what a comparitively intelligent readership el Reg has, by holding fire on the kneejerk comments?
OK I'm off now, to post something positive about Microsoft on Slashdot...
er, yes they did.
Ban This Sick Filth!!!!
I'm waiting for the Daily Fail to blame this on NuLabour. This is Gordon Brown's fault. Or shifty looking foreigners. Bring on the xenophobia! Or maybe this is the fault of the EU? Or the Human Rights Act?
Where is the have-a-go hero to save us? We need to recruit the WI or maybe a new Dads Army of silver surfers to mount DNS attacks againt these people.
@Adam White, others
I agree. The DM, hateful as they are, shouldn't have to check every single ad. If they had the people and time to do this, they wouldn't need to outsource it. The Ad company has a responsibility to check this- they're providing the service.
Reading the subtitle, I'm amazed that no-one's talked about Italian plumbers coming over here and stealing our jobs, etc
They might infect your computer but at least they didn't support the Nazis in the 30's."
Apart from the pact between Stalin and you-know-who to carve up Poland 50/50 and not fight each other?
Under no circumstances am I defending the Daily Mail.
@@ the all-DM-readers-deserve-to-die-posters...
I believe that these comments are being made to show the usual attitudes of DM readers to be the knee-jerk, baying mob reactions they are. This is a process called "satire", which is part of a wider cultural phenomenom called "humour"
On a serious note, if this can be done to one advertising network, what's to stop it being done to another (ie phorm)?
@ Graham Cluley
Quite correct Graham!
El Reg did indeed serve up malicious banner ads a few years ago in one of the first cases of its kind. Odd that this bit of history didn't find its way into the original article, perhaps this site has been learning more lessons from the DM than it cares to think about.
Banner ads are an obvious target for malware as they offer a 3rd party route into an otherwise trusted web site. The economic climate is harsh at the moment, and I don't believe that any legit site can afford to have its reputation damaged by an external supplier, why this could mean the end for the DM... oh wait. Carry on.
More seriously though the downturn could see banner ad companies consider taking on certain advertisers in future without looking too closely at them, or paying attention to the fact they are being paid with a stolen credit card by a guy called "Vlad" on the other end of an untraceable VOIP number. Time for ad blockers.
"On a serious note, if this can be done to one advertising network, what's to stop it being done to another (ie phorm)?"
I think phorm have cut out the middle man by hosting their dodgy servers in Russia.
The IP address is..
The last three numbers of the IP address are 221.133.172 - check your proxy logs for them. No, I'm not going to publish the whole IP address because you REALLY don't want to visit this site.
It's not just the Daily Mail site, Northcliffe Newspapers (part of the Daily Mail) who run some local papers and also metro.co.uk also have the same problem. In each case, the last hope before the infected site is bs.serving-sys.com (Eyeblaster), it looks like a Flash banner ad of some description. It doesn't mean that Eyeblaster are responsible for the ad though, they probably acquired it from a third party.
Stalin was Georgian.
I thought the "joke alert" icon might even be unnecessary. How wrong I was.
However, I think there is a valid point to be made here - "impracticality" of checking 3rd party content doesn't absolve a website of responsibility whatsoever - "Impracticality" is a business case, "responsibility" is an moral constraint. I am quite sure Mr. Cluley and others rest easy in the knowledge that when they travel on an aeroplane, the chain of responsibility for their safety doesn't extent to advertisers on the in-flight entertainment.
Associated News run an ad network
One thing that people should think about when spreading blame is that the Daily Mail's parent Associated News have an ad network that they offer to third parties. So in this case the network in question may have been themselves.
The problem for the Advertising Networks is that these things can be well disguised so I have a small amount of sympathy for them unfortunately the tools that spot these things often make it impossible to work out which advert caused it by not providing or removing the needed data.
One day everyone will be on the same page fighting the people trying to run these scams rather than pushing blame on the sites that run the adverts or the advertising networks.
Saw this happen with StarTribune.com as well over the weekend with their classified ads. Fresh laptop, fully up to date on patches, Firefox 3.04 (not using noscript though), and saw two different attempts to get me to load malware. Left a message for their IT dept, no return call so hopefully they caught it. Use of noscript on another computer appeared to be enough to block the attack.
Sophos have a good blog post here: http://www.sophos.com/security/blog/2008/12/2078.html
They point the finger at anm.co.uk, which is Northcliffe / Associated Newspapers own ad agency rather than Eyeblaster. The loading sequence is misleading.
Infections started on Friday
We started detecting this infection on Friday and through the weekend. Our last detection was Wednesday morning, so I suspect Associated Northcliffe Digital have sorted the issue. Identifying exactly where our users were browsing in each case is time consuming, but most appear (based on the filename) to be the Metro - but as other point out there are many titles (~200) e.g. The Standard, for which web sites are run by the group - see http://www.and.co.uk/who/sitelistnov07.html and and advertising network covering '60 premium content websites reeaching 26% of the UK internet population' http://www.and.co.uk/what/andadvertisingnetwork.html
Not surprising that such an incident has not provoked any comment from them