Malvertising on Blogspot: Scams, adult content, and exploit kits

Malvertising on Blogspot: Scams, adult content, and exploit kits

We don’t really hear about it that much, but malvertising can and does target free blogging platforms as well. Just this morning, our friends at Virus Bulletin Martijn Grooten and Adrian Luca wrote about some sites hosted on Google’s Blogspot service pushing tech support scams.

We also caught some malicious activity on the Blogger platform this past week via the PLYmedia ad network. Some Blogspot websites clearly abuse the platform and stuff ads everywhere, leaving little to wonder about what could possibly go wrong?

blogger_ads

Adult material

When browsing that Blogspot site, we were automatically redirected to an adult page, which is definitely not good if you have kids around.

match99

Angler Exploit kit

There were also some redirections to the Angler exploit kit via fake advertisers using the fingerprinting technique.

  • Ad network: wafra.adk2x.com/ul_cb/imp?p=70368645&size=300×250&ct=html&ap=1300&u=http%3A%2F%2Fzcdnz.blogspot.com%2F2016%2F04%2Ffut-azteca13.html&r=http%3A%2F%2Fzcdnz.blogspot.com%2F2016%2F04%2Ffut-azteca13.html&iss=0&f=1
  • Rogue ad server: advertising.servometer.com/pagead/re136646/ad.jsp?click=%2F%2Fwafra.adk2x.com%2{redacted}
  • Google Open Referer: bid.g.doubleclick.net/xbbe/creative/click?r1=http%3A%2F%2Fstewelskoensinkeike.loanreview24.com%2FScKOygTMtj_rlf_qIEgRYCq.aspx
  • Angler EK landingstewelskoensinkeike.loanreview24.com/?k=pREU&o=gQ1U2eo&f=&t=MHl&b=O83rsW&g=&n=9rYB42&h=&j=aCYeE9iDym_Ao_T25Uhszm
rogue_ad

We have alerted Google about this issue and contacted PLYmedia to let them know about that rogue advertiser.

ABOUT THE AUTHOR

Jérôme Segura

Principal Threat Researcher