Update : We received a note that SmartyAds looked at these incidents and has already blocked the offending actor.

The same malvertising campaign we documented last week is still going unabated. The latest large publisher affected by it is celebrity gossip portal TMZ.com which brings in around 30 million visitors to its website every month.

ContextWeb (PulsePoint) and Smarty Ads are being abused by various rogue advertisers leveraging cloud security provider CloudFlare’s infrastructure to hide their server’s real location as well as encrypt the ad delivery.

flow

Malvertising flow:

  • ads.contextweb.com/TagPublish/GetAd.aspx?tagver=1&ca=VIEWAD&cp=557507&ct=363453&cwod=&epid=&esid=&tppg=%24%7BREFERER_URL%7D&brk=false&ccid=&wp=0&cf=300X250&asv=22&rq=1&dw=300&cwu=http%3A%2F%2Fwww.tmz.com%2F2016%2F02%2F01%2Fcrackhead-bob-dead-howard-stern-show%2F&cwr=&mrnd=97012589&if=1&tl=-1&pxy=0,0&cxy=300,250&dxy=&tz=300&ln=en-US,en-US,en-US,en-US
  • us-nj-e10.traffictradinghub.com/?t=s&winbid=0.19&k=1143fda55da87f8dedb1dcabc9195e5f
  • 88.214.193.234/?t=s&winbid=0.19&k=e948430234aecc5af66228308711bd5c
  • {redacted}.com/fill/activity/hurry.html?click=${CLICK_URL_ENC}&t=1454340922783

The malicious ad only cost $0.19 for one thousand user impressions (CPM), highlighting how cheap and effective malvertising can be.

The good news is that if you are running Malwarebytes Anti-Exploit, the fake ad server will not deliver the redirection to the exploit kit (Angler) therefore not exposing you to various exploits and ultimately malware. While we did not collect the payload in this case, it is quite likely to be one of the many different strains of ransomware.

CloudFlare has been very responsive to our reports and is taking a closer look at these recent events and abuses of their service. However, our outreach to ContextWeb has not yielded anything.