Possible Fake-AV Ads from Doubleclick Servers
Reader James ran into a Fake AV ad delivered by Double click. It is not clear if this is the result of a compromise of double click, or a paid ad that slipped through doubleclick's content review process. James' started out at a local new paper web site, that like many others features ads served by double click. Luckily, James used a proxy tool (Fiddler) to record the session. Here are some of the excerpts (slightly anonymized and spaces inserted to avoid accidental clicks):
GET http://ad.doubleclick.net/adj/mi.ida00/News;atf=n;dcove=d;pl=sectfront;sect=News;
pos=2;sz=300x250;tile=8;!c=news;gender=;year=;income=;ord=230528779772346? HTTP/1.1
Accept: */*
Referer: [local newspaper URL]
Accept-Language: en-us
User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/4.0; [...]
Accept-Encoding: gzip, deflate
Host: ad.doubleclick.net
Connection: Keep-Alive
Cookie: id=xxxxa||t=1352150000|et=730|cs=yyyy
The reply to this request was:
HTTP/1.1 200 OK
Content-Type: application/x-javascript
Content-Length: 167
Date: Mon, 05 Nov 2012 22:32:59 GMT
------
Johannes B. Ullrich, Ph.D.
SANS Technology Institute
Twitter
Application Security: Securing Web Apps, APIs, and Microservices | Washington | Dec 13th - Dec 18th 2024 |
Comments
Blue
Nov 6th 2012
1 decade ago
Sean
Nov 6th 2012
1 decade ago