minnestar text logo


Sign up to stay up to date.


Malvertising, Black-hat SEO, Phishing


(If you have your own story to relate about malvertising, especially if you have inside knowledge from the perspective of an advertising network, please email me asap — I’m not hard to find. I have plent of material to fill the session, but it’s more fun with more people talking.)

In recent years, the Star Tribune, New York Times, and Fox News web sites have been abused in well-publicized FakeAV scareware campaigns. During a snow emergency last year, the WCCO and KARE11 web sites were serving up more serious malware that attracted little attention outside the security community.

If you’re not the Times, you don’t need to worry so much about becoming a target of choice, but you may be a target of opportunity. So please:

  • Vet 3rd-party content, especially display ads and user comments/backlinks
  • Follow best security practices such as OWASP
  • Secure your own client against, e.g., Grumblar worm
  • Dump passwords – pick one or more of OAuth, FB Connect, OpenID, etc.

Things IT shops do to defend against web-based attacks from legitimate web sites:

  • Use IDS/IPS to find evil in “real time”
  • Use DNS and/or proxy logs to find evil retroactively
  • Consider URL/domain blacklisting services (with caveats)
  • Patch and harden clients

Some of the above have implications for web developers. Certain “domain by proxy” services are popular with the bad guys and might make you look guilty by association.


Minnebar 6 (2011-05-07)


Rich Graves