More than three weeks after notifying video-sharing site DailyMotion that it was compromised, security company Invincea reports the popular website is still infected.

A spokesperson told Threatpost that Invincea’s original notification was not acknowledged and the company suspects this is a continuation of the same attack and the site was never cleaned up.

Invincea said it has again notified DailyMotion, which is the 96th most popular destination on the Internet according to Alexa. The site allows users to upload and share videos.

The attack was originally reported Jan. 7 when malicious ads were discovered on the site. Those ads were redirecting visitors to a fake AV scam. Invincea said today that the same threat is happening on the site.

A video on the security firm’s website, below, demonstrates what happens to a site visitor. Landing on the DailyMotion homepage, a visitor is presented with a dialog box warning the user that “Microsoft Antivirus” found a problem on the victim’s computer and that it needs to be cleaned. A list of potential problems is shown next and the user is enticed to run an executable pretending to be security software.

A report from Invincea shows a number of files written to the compromised computer were launched and stored in order to maintain persistence at startup. It also shows the computer communicating out to servers in the United States and Romania.

In its original advisory on Jan. 7, Invincea said that the malicious ads redirect to a third-party domain in Poland called webantivirusprorh[.]pl (93[.]115[.]82[.[246). According to VirusTotal, 10 of 47 antivirus products detect the threat; most detect it as a variant of the Graftor Trojan. The initial redirect, Invincea said, is loaded via engine[.]adzerk[.]net.

With fake AV scams, victims are tricked into installing what they think is security software but is instead malware. They’re then informed they must purchase a subscription of some kind in order to clean the computer of the infection.

Other scams, such as ransomware infections, build off this same premise but are much more sinister in that they use harsher tricks to get the user to install the malware. Some ransomware attacks lock down computers and inform the user they’re machine has been taken over by law enforcement because of some illicit activity online and the victim must pay a ransom to get their computer unlocked.

Malicious advertising, also known as malvertising, is becoming a common attack vector for spreading fake AV, ransomware and other malware redirecting victims to exploit kits. One such campaign was uncovered in September with sites including the Los Angeles Times, Women’s Health magazine and others were hosting ads serving malware. Malicious iframes redirected victims to the Blackhole Exploit Kit; Blackhole has since disappeared off the black market after the arrest of its alleged creator, a Russian hacker known as Paunch.

At the Black Hat Briefings last summer, WhiteHat Security researchers demonstrated how to use online advertising networks to distribute JavaScript and build the equivalent of a botnet that could be used to crash webservers or distribute malicious code.

Categories: Malware