Fake Flash Updates and Bad Ads

SANS is reporting that "a game site related to RuneScape" has been identified as one that is pointing people to a fake Macromedia update page where unsuspecting visitors are encouraged to "update" to the latest Flash player. This is another in the trend toward "phishing" but in this case it is not perpetrated by e-mail - instead it is a compromised web site (see other SANS articles on the tens of thousands of such sites in Italy this past week at: http://isc.sans.org/diary.php?storyid=2991 and http://isc.sans.org/diary.php?storyid=3015)

While in this case the fake page was easily detected if you looked at your browser address bar (it was definitely NOT a Macromedia site) this brings up the point that at ANY time you are redirected to a page you should be suspicious and look at both the address bar, and in some cases the "source" of the page (go to View -> Page Source on your menu bar) to see if any/all of the URLs in the page are suspicious. In this case the "Download" URL on the page was the one that had been changed - all the rest pointed to the real Macromedia page. In addition, the bad-uglies had changed the page with an added script that disabled the right-mouse button which usually will also allow you to check things like the page source code, print the page, etc.

Original story: http://isc.sans.org/diary.php?storyid=3024

Read on for more items of interest:
The internet is boiling down to be largely an advertising supported medium, just like TV. This means we are seeing more and more advertising in our favourite sites, and that, like anything else that is popular on the 'net there are bad-uglies out there that will work at taking advantage of this fact. Maybe some of them don't appear on the surface to be "bad-uglies" (aka crooks) but...

Two items crossed my desk today in this vein:

The first was a note in Slashdot.org about ISPs injecting "a small Javascript application into every web page that is loaded via their service" which proceeds to inject advertising into EVERY web page you visit - ads that the ISP makes money from. (see http://yro.slashdot.org/article.pl?sid=07/06/23/1233212)

The second was from SANS, talking about the fact that many web sites were selling advertising to what ended up being crooks, who use the ads to redirect web viewers (those who click-through the ad) to one of the millions of "bots" which then redirects to a machine that tries to infect the user machine with a trojan or worm. (see: http://isc.sans.org/diary.php?storyid=3030)

The SANS site, in a second article (http://isc.sans.org/diary.php?storyid=3033 )  on the same topic, points to a number of add-ins for Firefox/Mozilla that can help a lot in this situation (you ARE using Firefox, aren't you!!!)

The one I like the best is NoScript (https://addons.mozilla.org/en-US/firefox/addon/722) which allows you to "whitelist" sites that you'll allow Javascript to run from.

As usual, forewarned is forearmed - don't get caught. This is just another in the arsenal (along with anti-virus, firewalls, etc.) necessary to protect your systems from what is turning out to be an internet that is far from being just wild, but instead is turning out to be actively hostile.

richard