Technical Foul: ESPN Hit by Malvertising Campaign

January 17, 2014 - By Chris Larsen

A few weeks ago, during the holiday season, a new malvertising server came on line, and was serving traffic on espn.go.com -- relaying victims down into a malware network. And, since we were blocking the malware network, this would have made for an excellent blog post. Unfortunately, I didn't see the ESPN traffic until a week or two later, during a review of traffic into the network, and that server had already stopped serving traffic.  :(

Well, guess what? This morning, Tim's "Popular Site Monitor" was showing a slowly-but-steadily rising tide of malicious links traced back to espn.go.com -- and it was the same evil server, at the same IP address! (The IP, 66.111.254.62, is assigned to a hosting company in Santa Monica, California.)

 

The URLs were pretty consistent, all using the same affiliate/campaign codes:

a view of some sample (identical) malvertising URLs

(With the occasional .jpg request also matching those numbers.)

 

Victims were relayed from 66.111.254.62 to a series of junk/random subdomains on earthes.info (living on a server in Russia):

a view of some sample relay URLs

 

From there, they were relayed to a network of "Fake Anti-virus" sites, with names like

  • cx-webantivirusproject.pw
  • s-webantivirusproject.pw
  • prowebprotect2600.pw
  • prowebprotectx.pw

...and so on. (Mostly "webantivirusproject" and "prowebprotect" variants in this batch.) These sites are found on servers in France, Romania, and the USA. (So if I wanted to toss in a gratuitous sports pun, I'd say someone should call "travelling" on this network...)

 

The traffic from ESPN to 66.111.254.62 began on January 10th. Interestingly, it first came from espncricinfo.com (an ESPN cricket site), in requests showing up in our Australian, Hong Kong, and UK datacenters. (Which makes perfect sense.)

Traffic was running at a very low level, perhaps to establish some trust? (There are some additional factors that indicate the ads at this stage were indeed benign.) It stayed small until late Thursday night, when it spiked, and espn.go.com began trending on our Popular Site Monitor.

 

It's interesting that the Bad Guys "went dark" for a couple of weeks between the two ad campaigns, probably in an attempt to let the heat die down. Maybe they even tried to divert suspicion after the first campaign by claiming they had just been hacked, and were cleaning up the infection...

 

--C.L.

@bc_malware_guy