[en] Yahoo Ads for Fake Java Update (PUP.DomaIq)

Yesterday, got this tweet : https://twitter.com/MickaelViaud/status/420314220610457600
Claiming to get the Fake Java Update (PUP.DomaIQ) on Dailymotion via Yahoo ads.

(Dailymotion is a big streaming video website : 191 at Alexa)

DomaIq_Fake_Java_Yahoo3

Today some user complaints : http://www.commentcamarche.net/forum/affich-29448801-chrome-virus-spam-url-s-ouvre-toute-seule-http-www-adobeupdate#17

DomaIq_Fake_Java_Yahoo4

Got the Malvert (yes it is), just by letting the browser open on Dailymotion, and after one minute :

http://ads.yahoo.com/imp?Z=728×90&x=http%3A%2F%2Fams1%2Eib%2Eadnxs%2Ecom%2Fclick%3FmpmZmZmZqT%5FD9Shcj8KlPwAAAAAAAPA%5Fw%5FUoXI%5FCpT%2DamZmZmZmpP2bQJ93lG4oB5POil3yWtTCIJcxSAAAAABGQHwAyAwAA4wQAAAIAAAA%2DzmUAoRsFAAAAAQBVU0QAVVNEANgCWgDJrgAAcboAAQUCAQIAAIoA%2DydsygAAAAA%2E%2Fcnd%3D%2521NAXCLQiQhW4QvpyXAxihtxQgAA%2E%2E%2Freferrer%3Dhttp%253A%252F%252Fwww%2Edailymotion%2Ecom%252Fvideo%252Fx19b0bo%5Fcarburants%2Dcomment%2Dvous%2Dretrouvez%2Dvous%2Ddans%2Dla%2Djungle%2Ddes%2Dprix%5Fnews%2Fclickenc%3Dhttp%253A%252F%252Foptimized%2Dby%2Erubiconproject%2Ecom%252Ft%252F8769%252F14389%252F29795%2D2%2E3575286%2E3741760%253Furl%253D%24&u=%7bPUB_URL%7d&s=3898459&T=3&_salt=0&B=10&H=http%3A%2F%2Fib.adnxs.com%2Ftt%3Fid%3D2068497%26pubclick%3Dhttp%3A%2F%2Foptimized-by.rubiconproject.com%2Ft%2F8769%2F14389%2F29795-2.3575286.3741760%3Furl%3D&M=3&r=0
http://www.trxtraininggb.com/creative.php?size=12051208&creative_id=24367561&pid=29507&pixel=AAAAAFt8OwDJ0XMBAAAAAPNKcAAAAAAAAgAAAAYAAAAAAP8AAAADEkTzVQAAAAAA9u-BAAAAAADL-YkAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAABhuhYAAAAAAAIAAwAAgD8ADZ5ybUMBAAAAAAAAADYwYWI2MDIyLTc3YjUtMTFlMy1hYjYzLTRiYTRjNWYwZWQ0NQAAAAAAAAA= – 1 @ VT : https://www.virustotal.com/fr/url/9ccd3c2aa84694ef8f7f37ec626b148e153ac3ec754b3b214ba33a644409a982/analysis/1389112589/
http://www.java-2014down.com/FR/?s1=AAAAAFt8OwDJ0XMBAAAAAPNKcAAAAAAAAgAAAAYAAAAAAP8AAAADEkTzVQAAAAAA9u-BAAAAAADL-YkAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAABhuhYAAAAAAAIAAwAAgD8ADZ5ybUMBAAAAAAAAADYwYWI2MDIyLTc3YjUtMTFlMy1hYjYzLTRiYTRjNWYwZWQ0NQAAAAAAAAA=&s2=29507&s3=FR&s4=12051208&s5=24367561
http://www.java-2014down.com/FR/Installer.php?dv1=AAAAAFt8OwDJ0XMBAAAAAPNKcAAAAAAAAgAAAAYAAAAAAP8AAAADEkTzVQAAAAAA9u-BAAAAAADL-YkAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAABhuhYAAAAAAAIAAwAAgD8ADZ5ybUMBAAAAAAAAADYwYWI2MDIyLTc3YjUtMTFlMy1hYjYzLTRiYTRjNWYwZWQ0NQAAAAAAAAA=&dv2=29507&dv3=FR&dv4=12051208
http://ttb.playerplugin.com/download/request/51a9b7865f1c1eb81f000001/CtlLI2Yz?PubID=1731_1925&ClickID=3205944156
http://dlp.allfiles103.com/JW6vDO-FuSX6_AeQLj29XtjuMDA48r1HmKmHPMWHmnrG0WnVzAP3MVpzzgHihjpQ

DomaIq_Fake_Java_Yahoo DomaIq_Fake_Java_Yahoo2

Hope Yahoo will move and remove this malvert.

For French people : cette fausse mise à jour installe Nation Zoom (et peut-être des adwares), vous pouvez suivre la procédure suivante pour supprimer Nation Zoom: http://forum.malekal.com/supprimer-nation-zoom-t45740.html

EDIT – January 8

Dailymotion / Yahoo contacted, and checking again and got two redirection.
Below, Fake Java (or Adobe Flash) and « Win an Ipad » (Félicitation!!! tabs) – the ads replace the Dailymotion page.

Dailymotion_ads_yahoo_clicksor Dailymotion_ads_yahoo_clicksor2

The URLS :

http://ads.yahoo.com/imp?_cbv=3353494515&_msd=1&_xcf=0&Z=728×90&u=dailymotion.com&rmxbkn=0&s=5013750&T=3&_salt=0&B=10&H=http%3A%2F%2Fams1.ib.adnxs.com%2Fif%3Fenc%3DuB6F61G4rj-4HoXrUbiuP2Dl0CLb-c4_uB6F61G4rj-4HoXrUbiuPwTXw-57t5Nk3F3V0VT4EDNSR81SAAAAAEQhFAAdAgAAHQIAAAIAAACCuIsAYWwCAAAAAQBVU0QAVVNEANgCWgD5VAAAGcAAAgQCAQIAAIYA9SnD6gAAAAA.%26cnd%3D%2521zSdVHQjM9oEBEILxrgQYACDh2A&M=3&r=0
redirect to : http://catch.riffynetwork.com/click728.html (213.222.5.61 – Bizway B.V. – NL).

and then load content from Clicksor – im not really fan of clicksor as they have periodically malvertising issues – example : http://www.malekal.com/2013/12/08/malvertising-on-clicksor-via-rapid8-com/
btw, according according invincea – dalymotion redirected to FakeAV : http://www.invincea.com/2014/01/dailymotion-com-redirects-to-fake-av-threat/

Clicksor traffic :
http://ads.clicksor.com/newServing/showAd.php?nid=1&pid=304673&adtype=1&sid=538358
http://serw.clicksor.com/newServing/searchTrack.php?nid=1&sid=538358&random=738713247
http://pub.clicksor.net/newServing/js/show_ad.js
http://serw.clicksor.com/newServing/getkey.php?cb=getkey&ob=Yesup.clicksor.Code[0]&nid=1&pid=304673&sid=538358&spid=&ns=0&nw=1&zone=0&url=http%3A%2F%2Fads.yahoo.com%2Fst%3Fad_type%3Diframe%26ad_size%3D728x90%26section%3D5013750%26pub_url%3Ddailymotion.com%26_msd%3D1%26_xcf%3D0%26rmxbkn%3D0%26_cbv%3D3353494515&lb=0&ext=0&oe=iso-8859-1&t7969123&txt=Riffynetwork
http://serw.clicksor.com/newServing/showbanner.php?nid=1&t9269.462439714461&zone=0&chad=1&oe=iso-8859-1&cs=&adtype=1&sid=538358&pid=304673&spid=&adu=2&image=3&c1=%23A0D000&c2=%23FFFFFF&c3=%23000000&c4=%23666666&memkey=6927a62e15c60e573a1e61358bdd4418&qp=YF4lJi77JSoh-SQu-yQoJfFjZU4wLCEgIzEi_GpVJScsIyUufv4hNCIqLX4g-XBdMCghICktIicvI3s&bdurl=&lq=0&lb=1&ref=http%3A%2F%2Fads.yahoo.com%2Fst%3Fad_type%3Diframe%26ad_size%3D728x90%26section%3D5013750%26pub_url%3Ddailymotion.com%26_msd%3D1%26_xcf%3D0%26rmxbkn%3D0%26_cbv%3D3353494515&orid=9632986
http://pub.clicksor.net/newServing/js/banner.js
http://perricone.educationv.com/product/acyl-glutathione/728×90.html
http://down.javainstall.org/go.php?code=java&country=FR
http://www.javainstall.org/topic/java/?auth=downl&ext=1&country=FR

Ipad_ads_yahoo

Win an Ipad ads :
http://ads.yahoo.com/imp?Z=728×90&x=http%3A%2F%2Fams1%2Eib%2Eadnxs%2Ecom%2Fclick%3FmpmZmZmZqT%5FD9Shcj8KlPwAAAAAAAPA%5Fw%5FUoXI%5FCpT%2DamZmZmZmpP6up1IKGAZQp%5FugyUgKkojPuJ81SAAAAAGqMIAAyAwAA4wQAAAIAAAA%2DzmUAneIEAAAAAQBVU0QAVVNEANgCWgBc%2DAAAn7gDAQUCAQIAAIoAjyjU1QAAAAA%2E%2Fcnd%3D%2521PQXjLQiQhW4QvpyXAxidxRMgAA%2E%2E%2Freferrer%3D%2525referer%253Ddailymotion%2Ecom%2Fclickenc%3D%24&u=%7bPUB_URL%7d&s=3898459&T=3&_salt=0&B=10&H=http%3A%2F%2Fams1.ib.adnxs.com%2Fif%3Fenc%3DmpmZmZmZqT_D9Shcj8KlPwAAAAAAAPA_w_UoXI_CpT-amZmZmZmpP6up1IKGAZQp_ugyUgKkojPuJ81SAAAAAGqMIAAyAwAA4wQAAAIAAAA-zmUAneIEAAAAAQBVU0QAVVNEANgCWgBc-AAAn7gAAgUCAQIAAIoAjSiv1QAAAAA.%26cnd%3D%25210SMyNQiQhW4QvpyXAxgAIJ3FEz&M=3&r=0
http://shuang11dacu.com/frdsnr/
http://shuang11dacu.com/fr/dsnr/lp.php
http://shuang11dacu.com/fr/dsnr/lp.php
http://shuang11dacu.com/fr/dsnr/index.php
http://mprptrk.com/mt/v27433a4b4v233r244z2u2b4/&subid1=dsnr
http://lp.prizerally.com/fr/newipad/?networkid=411&category=b2c&country=fr&pageid=201&programid=137&saleid=1&optinfo=e2c4w294c4y2v2_37f0444faf5098c2dc6f23f2bd9be1bd&publisher=CD13939
http://lp.prizerally.com/fr/newipad/style.css
http://lp.prizerally.com/fr/newipad/js/main.js
http://lp.prizerally.com/fr/newipad/settings.xml
http://ajax.googleapis.com/ajax/libs/jquery/1.6.4/jquery.min.js
http://urs.microsoft.com:443
http://lp.prizerally.com/fr/disclaimer.html

Comment lire d'autres tutoriels de malekal.com ?

Si le site vous a aidé, svp, débloquez les bloqueurs de publicités, n'hésitez pas non plus à partager l'article ou le site sur les réseaux sociaux.

Pour pouvoir lire plus d'articles et tutoriels, utilisez le menu en haut du site. Plein d'articles et tutos utiles vous attendent !

Besoin d'aide ?

Posez votre question ou soumettez votre problème sur le forum malekal.com pour obtenir une aide efficace : Aller sur le forum malekal.com
(Visited 86 times, 1 visits today)

One thought on “[en] Yahoo Ads for Fake Java Update (PUP.DomaIq)

Laisser un commentaire

Votre adresse de messagerie ne sera pas publiée. Les champs obligatoires sont indiqués avec *