Perimeter E-Security researchers recently discovered that Major League Baseball was distributing malware via a compromised ad network on its MLB.com Web site.
“Perimeter E-Security said that after analysing the packet capture taken during the infection process, it verified that it is from adginserver.com, an ad server referenced by MLB.com,” writes SC Magazine’s Dan Raywood. “It later said that the specific advert that serves the fake-anti-virus is on top of the MLB news page and points to plentywatch.com, but the banner image is stored on gipcampaign.com, which is injected with an IFRAME that redirects to adginserver.com.”
The potential number of site visitors affected is significant, according to a blog post by Perimeter E-Security research analyst Yuanyuan Grace Zeng. “According to Alexa.com, based on page views, MLB.com ranks 77th in the US, and 344th globally,” Zeng writes. “From the traffic statistics on Alexa, in the past month, every day on average, there are about 11.23 million page views on MLB[.]com. Approximately 3.24 million consumers view these pages every day. Even if the ad were only displayed once every 100 page-views, it would potentially affect over 300,000 PCs.”
“Malicious advertisements are sneaky because they are often served up by otherwise legitimate ad networks,” writes PCMag.com’s Fahmida Y. Rashid. “Most website publishers don’t display their own ads, but partner with an ad network which has a pool of online ads ready to be served. If criminals have accounts on these networks, they scan slip malicious advertisements into the rotation. Site visitors who click on the advertisement are directed to the malicious site and infected. This way, criminals can infect visitors to a certain website without even going through the time-consuming process of hacking that site.”