'Payload tested' browser popup via AOL's ad network causes a scare

‘Payload tested’ browser popup via AOL’s ad network causes a scare

Today, we are looking at a strange case and a potential malvertising issue that appeared on popular news website salon.com but probably also on dozens of other websites.

Some users that browsed to that site’s home page may have received a pop up saying “payload tested” which was followed by another one saying “Its working!!!” [sic]:

The problem was that the popups would never actually stop from harassing you no matter how many times you clicked on the ‘OK’ button.

This was triggered by an advert that was delivered by wwbads via Google’s DoubleClick and Adtech (AOL’s ad serving platform). The advertiser wwbads appears to be serving normal ads but every once in a while, switches to the pop up one:

[youtube=http://youtu.be/1sM2fRf8R1E&rel=0]

 

This is cause for concern, not only because the publisher (salon.com) would certainly not appreciate subjecting their visitors to such nagging messages but also because the script itself could be anything, including something malicious.

The term ‘payload’ is also often referred to as malware, at least in the security industry. It is entirely possible that the advertiser was ‘testing’ out something new, but even if that were the case, you simply cannot do that in a live production environment.

Another possibility is that the advertiser’s platform has been hacked and actual bad guys are fooling around with it. Looking back in time, the site did once suffer a defacement:

hacked

We contacted the advertiser but they did not immediately respond to our email. We also informed AOL’s Adtech and Google’s DoubleClick as they ought to know about this kind of activity.

Adtech responded to us pretty quickly to let us know that it was an account from one of their demand-side platform users and that it had been disabled.

Technical details

The pop-up is loaded by a JavaScript snippet located on:

js.wwbads.com/testscript.js

The screenshot below shows the different hops that were made before getting there:

flow5

One of the URLs gives us an idea about the cost associated with displaying this ‘creative’:

http://show.wwbads.com/adcode/adcode?site=News%20Site&crid=895&pid=5281-237833&sourceid=adtech&auction_price=0.190375&endguard=

This strange case highlights some of the problems with online advertising and perhaps the stronger vetting procedures that need to be put in place.

While such behaviour is not only unprofessional, it affects the reputation of other ad networks, but most importantly, it puts innocent visitors at risk.

We will update this blog post if we receive additional information.

ABOUT THE AUTHOR

Jérôme Segura

Principal Threat Researcher