Malware authors play Mario on Daily Mail website
Cue the outrage
Updated Tainted banner ads are being served up onto the Daily Mail's website.
We passed on a reader tip about a possible infection on DailyMail.co.uk to anti-virus firm Sophos, which confirmed that script served up through the site was redirecting surfers to a server linked to the spread of the strain of the Mario family of worms.
The tainted ads are the work of malicious hackers who somehow succeeded in injecting redirection scripts into banner ads. These malicious scripts generated an iFrame which pulls its content from a malicious server, located in Russia. The site attempts to exploit browser flaws to download malicious code onto unpatched Windows PCs, as part of a classic drive-by-download attack.
Analysis of the attack is ongoing.
We emailed the Daily Mail's website techies, which bounced with a no-such-user error message, but followed up with a call. An advertising sales rep confirmed he'd being informed of the attack, because of the potential impact on ads being served via site. It's unclear how far Associated Newspaper technicians have gone in blocking the attack but at least we know they are on the case. ®
The first version of this story said that the tainted ads were been served up through an ad serving network, as in commonplace in such cases. Actually the malware came from the servers of the publisher of the Mail.
Infections started on Friday
We started detecting this infection on Friday and through the weekend. Our last detection was Wednesday morning, so I suspect Associated Northcliffe Digital have sorted the issue. Identifying exactly where our users were browsing in each case is time consuming, but most appear (based on the filename) to be the Metro - but as other point out there are many titles (~200) e.g. The Standard, for which web sites are run by the group - see http://www.and.co.uk/who/sitelistnov07.html and and advertising network covering '60 premium content websites reeaching 26% of the UK internet population' http://www.and.co.uk/what/andadvertisingnetwork.html
Not surprising that such an incident has not provoked any comment from them
Sophos have a good blog post here: http://www.sophos.com/security/blog/2008/12/2078.html
They point the finger at anm.co.uk, which is Northcliffe / Associated Newspapers own ad agency rather than Eyeblaster. The loading sequence is misleading.
Saw this happen with StarTribune.com as well over the weekend with their classified ads. Fresh laptop, fully up to date on patches, Firefox 3.04 (not using noscript though), and saw two different attempts to get me to load malware. Left a message for their IT dept, no return call so hopefully they caught it. Use of noscript on another computer appeared to be enough to block the attack.