Update on the Fake-AV at MLB.com — How It Is Distributed, and Who Else Distributes It

Written by Grace Zeng. Posted in Blog Post

Just a quick follow-up from yesterday’s post about fake-AV malware being served up by MLB.com. We did some more research today, about have additional details.

We pinpointed a specific ad that serves the fake-AV malware. It’s on top of the MLB news page. The ad banner points to plentywatch[.]com, but the banner image is stored on gipcampaign[.]com which is injected with an IFRAME that redirects to adginserver[.]com. Please see the following three screenshots. The ad is still present on MLB.com’s website as of 3:00pm today.

The malicious ad on mlb.com:

Where the ad is hosted:


Here’s the IFRAME injection into the ad (captured using WireShark) — click it to see the full image:


Note that MLB’s page rotates its ad display constantly. Not every visit will show this malicious ad.  But the number of consumers that could be affected is likely quite large. According to Alexa.com, based on page views, MLB.com ranks 77th in the US, and 344th globally. From the traffic statistics on Alexa, in the past month, every day on average, there are about 11.23 million page views on MLB[.]com. Approximately 3.24 million consumers view these pages every day. Even if the ad were only displayed once every 100 page-views, it would potentially affect over 300,000 PCs.  We hope MLB.com will remove this ad as soon as possible to prevent infecting more of its customers.

MLB.com is not the only website serving up fake AV from this infected advertiser. Based on an analysis of our logs, customers were served malicious ads from adginserver[.]com when visiting many other benign sites as well. As far as we can tell, airfarewatchdog[.]com, homeaway[.]com and blogspot[.]com have all served up the same type of fake-AV ads from adginserver, which ultimately redirected to the .in domains that compromised our customers.

Here’s a bit more information about adginserver, which is hosted in Germany. A direct visit to this domain redirects the browser to a popular search engine in China – Baidu.com. It seems that adginserver is not part of an ad network; its only purpose is redirection.

Domain Name:ADGINSERVER.COM Registrar:NETLYNX, INC. Whois Server:whois.netlynx.com Referral URL:http://www.netlynx.com Name Server:NS1.ADGINSERVER.COM Name Server:NS2.ADGINSERVER.COM Status:clientTransferProhibited Updated Date:11-may-2012 Creation Date:23-dec-2011 Expiration Date:23-dec-2012

Base Record Name IP Reverse Route AS
adginserver.com a hosted-by.leaseweb.com AS28753LEASEWEB-DE Leaseweb Germany GmbH

Interestingly, gipcampaign[.]com is also hosted in Germany with a similar DNS record to adginserver[.]com. With this domain record, and the fact that it directly serves the ad on MLB.com, we feel that, more likely than not, it is or part of a malicious advertising network, rather than a compromised legitimate ad site.

Domain Name:GIPCAMPAIGN.COM Registrar:NETLYNX, INC. Whois Server:whois.netlynx.com Referral URL:http://www.netlynx.com Name Server:NS1.GIPCAMPAIGN.COM Name Server:NS2.GIPCAMPAIGN.COM Status:clientTransferProhibited Updated Date:04-may-2012 Creation Date:19-jan-2012 Expiration Date:19-jan-2013

Base Record Name IP Reverse Route AS
gipcampaign.com3 hours old a hosted-by.leaseweb.com AS28753LEASEWEB-DE Leaseweb Germany GmbH

As we mentioned yesterday, Perimeter E-Security has reported the above domains to Fortinet as malware sites. Customers should consider temporarily blocking access to mlb[.]com,  airfarewatchdog[.]com, homeaway[.]com and blogspot[.]com until further notice.

Evan Keiser and Andrew Jaquith contributed to this post.

Trackback from your site.

Grace Zeng

Yuanyuan Grace Zeng is a research analyst with Perimeter E-Security. She recently received her Ph.D. in Computer Science and Engineering from the University of Michigan, Ann Arbor. Her specialty is network security with focuses on malware modeling/analysis, attack detection and mitigation as well as large-scale data analytics. Her work on botnet detection has been published in several premier security conference proceedings.

Leave a comment