StopBadware's landing pages saw a big spike in traffic last month between May 30 and 31. We found that popular French torrent site t411[.]me was the main (though not only) culprit, and that the site had wound up on Google’s blacklist as the result of a malvertising attack.
Our overall traffic skyrockets whenever a popular site or group of sites is blacklisted. One of the first things we look at, however, is how many people are finding their way to our Firefox landing page—in other words, how many people are ignoring malware warnings, visiting the blacklisted site, and going the extra mile to report to us (and Mozilla) that the site they’re visiting is not, in fact, “a badware site.”
How many users visited the site over warnings and exposed themselves to malvertising? Over 37,000 between May 29 and June 1.
A little digging turned up research done by top-notch French security researcher malekal, who frequently documents malvertising campaigns as they make their way around the Web. It turns out this campaign was pushing fake Java and Flash updates—a particularly effective strategy on sites users are visiting to access online media. We know from experience that users tend to be more likely to click through warnings in order to access media streams or downloads.
Malicious advertising is one of the trickiest problems the security industry faces. We don’t know what the successful infection rate was for this campaign, but even a small fraction of the 37,000 users we know were exposed is an unacceptably high success rate for malware distributors.