Malvertising Quick Look: Forbes.com

[Disclaimer: This analysis deals largely with circumstantial evidence, for reasons laid out in the introductory blog post to this series. Any conclusions are preliminary, and subject to change based on further research.]

The next in our series of drill-downs into breaking malvertising attacks (via the "Popular Site Monitor" list) is an interesting case, since it looks like the shady ads were only being served to one mainstream site: forbes.com, making it a possible semi-targeted attack (also known as "waterholing", since the Bad Guys set up an ambush at one particular "waterhole" on the Web, whose visitors match a target demographic). And, if nothing else, Forbes readers would indeed seem to be an attractive demographic for cybercriminals looking for people with larger-than-average bank accounts to plunder...

The shady ad server is drimlead.com, which, although it was registered (anonymously, of course) last November, didn't do anything until it suddenly sprang into life late on 2/14, and registered 161 hits in a little over 24 hours. The first two hits were dynamically rated as Malware by WebPulse (courtesy of the Malnet Tracker), and the domain was auto-added to the database, which was the source of the next 159 ratings.

Let's start with a review of the evidence. First, in their favor, the ad banner being served looks innocent:

Also, to be fair, we are missing a couple of important "coffin nails" before we can definitively close the case:

- Unlike most Malnet Tracker catches, this one is not based on a perfect fingerprint match. (However, even on non-perfect fingerprint matches, the Malnet Tracker is rarely wrong.) So it is possible that the server is innocent.

- I could't coax the ad from drimlead.com to appear in any of the Forbes pages I tried, so I've never been able to see it "in context" (where I appear as a potential victim, rather than as a snooping investigator). Consequently, there is no "smoking gun" of an exploit, or a malware payload.

Still, the evidence against drimlead.com being an innocent ad server is substantial:

- The domain registration was made via an anonymizing service. (And only for one year.)

- The domain was completely unused for the first three months of its existence.

- The only referring domain is forbes.com and several of its subdomains, yet drimlead.com does not show up directly in the HTML of any of the Forbes site pages I checked. This pretty much rules out a site-injection situation, leaving malvertising as the most likely explanation. And sure enough, a number of ad and analytics sites do occur, meaning one of those is the most likely vector -- but a real ad or analytics partner of one of these would be expected to show up in lots of places, not just one...

- There is no "site" for drimlead.com; only the path serving the ad is live.

- There are some other inconsistencies with the behavior of drimlead.com that mark it as at least  suspicious.

So, I've decided to go ahead with a public accusation of malvertising for drimlead.com, and see what happens. I'll be surprised if the owners of drimlead.com contact Blue Coat to complain about being blocked. If they do, I'll have a few questions to ask them....

--C.L.

@bc_malware_guy