Malicious Ads on DailyMotion Redirect to Fake AV Attack

Popular video-sharing site DailyMotion is serving malicious ads that redirect site visitors to domains hosting Fake AV malware, security firm Invincea reports.

Video-sharing site DailyMotion, one of the most popular destinations on the Web, is in the throes of an attack where it is serving malicious ads redirecting users to a fake AV scam.

Security firm Invincea reported the issue to the website, and as of 4 p.m. ET, DailyMotion was still serving the fake AV malware.

This is the second malvertising attack reported this week. Earlier, Yahoo sites in Europe were serving ads that dropped an iframe sending users to domains hosting the Magnitude exploit kit, which then seeded victims with a host of financial malware.

DailyMotion attracts 17 million monthly visitors and is the 95th-ranked website according to Alexa.

Invincea said that the malicious ads redirect to a third-party domain in Poland called webantivirusprorh[.]pl (93[.]115[.]82[.[246). According to VirusTotal, 10 of 47 antivirus products detect the threat; most detect it as a variant of the Graftor Trojan. The initial redirect, Invincea said, is loaded via engine[.]adzerk[.]net.

When the user lands on the DailyMotion home page, an invisible iframe redirects to the scam which warns the user of a critical process that must be cleaned to prevent system damage. The victim is then presented with a dialog box that offers to clean the computer of the problem. If the user agrees, they’re asked to run a file which is the malicious executable.

Fake AV scams have been in circulation for years; generally victims are tricked into installing what they think is security software but is instead malware. They’re then informed they must purchase a subscription of some kind in order to clean the computer of the infection.

Other scams, such as ransomware infections, build off this same premise but are much more sinister in that they use harsher tricks to get the user to install the malware. Some ransomware attacks lock down computers and inform the user they’re machine has been taken over by law enforcement because of some illicit activity online and they victim must pay a ransom to get their computer unlocked.

Yahoo, meanwhile, removed the malicious ads infecting users in a number of European countries, primarily Romania, Great Britain and France, but not before an estimated 27,000 infections per hour took place between Dec. 30 and when the attack stopped this week.

The malicious ads in the Yahoo attack were served from a number of different domains, including two registered on New Year’s Day, and redirected victims to sites hosting the Magnitude Exploit Kit. The kit targets Java vulnerabilities and installs a number of dangerous Trojans, including Zeus, Dorkbot, Necurs and a number of click-fraud malware, according to Dutch security company Fox-IT, which reported the incident to Yahoo last week.

Suggested articles