Malicious adverts displayed on the Ask.fm website have been automatically
redirecting users to malware sites, where they are prompted to install unwanted
or malicious software under the pretense of Java and Flash Player updates.
This particular advert is benign and serves only as an example of the banner's placement
Ask.fm is a popular social network which allows its users to receive and answer
anonymous questions, but both registered users and anonymous question askers are being put at risk by some of the adverts it displays: Merely
viewing a user's profile on Ask.fm caused some users to be redirected to the
following page, which claimed that an outdated Java plugin had been detected
(even when Java had been disabled).
Rather than downloading a Java update, victims will instead end up installing
a program which several anti-virus vendors identify as DomaIQ. This is
an advertising platform used by adware and other malicious programs to display
unwanted pop-up ads within Internet Explorer, Firefox and Google Chrome.
The rogue advert responsible for performing the redirection was initially
served through ADTECH GmbH, which is a
wholly-owned subsidiary of AOL. However, the trail does not end there – the
framed content served by ADTECH subsequently requested several pages from
AppNexus servers at ib.adnxs.com and
ams1.ib.adnxs.com, before one of these pages initiated a request to a Java
servlet on exchange.admailtiser.com. Finally, this servlet page caused the
parent frame to be redirected from Ask.fm to the page on www.updriong.com,
essentially taking the browser to a different website without requiring any user
After returning to the Ask.fm website, another
rogue advert immediately redirected the browser to a fake Adobe Flash update site.
Again, no user interaction was required – the chain of requests initiated by the
third party advert automatically redirected the user's browser to the fake site
hosted in Sweden.
In this case, the rogue advert on
http://ask.fm/account/wall was again initially served by ADTECH, but the
framed content made its next request to a Yahoo ad server (ads.yahoo.com), which
in turn made a request to ad.copa-media.com, which itself made a request for
content hosted on an AppNexus server at ams1.ib.adnxs.com.
Finally, a request to
another AppNexus server at ib.adnxs.com resulted in the user's browser being
redirected to the fake Adobe Flash update site at download.adoocobo.us. The setup.exe file is served from a domain which is known for propagating malware.
Mobile browsers have also been targeted by similar attacks on Ask.fm. The example below
shows an Ask.fm webpage displaying an intrusive and unsolicited alert dialog which originates
from a Yahoo ad server. If the user clicks OK, he will be taken to a
site which falsely claims that his phone has severe battery issues.
Within a few minutes, another advert on Ask.fm attempted to download an
Android app directly from a website in France as soon as the user clicked OK.
The makers of the genuine
Mobogenie Market app recommend that it should only be downloaded from
reliable sources such as Google Play, mobogenie.com and other partner networks
(although it does not specify who these are).
Incidentally, despite encouraging its users not to reveal their
anyone, the login form on http://ask.fm transmits a
user's password over an unencrypted HTTP connection:
Most high profile websites
only ever transmit passwords over encrypted HTTPS connections, and many sites
also ensure that the entire duration of a browser session remains encrypted,
i.e. not just the login process. Sending plain text passwords over an
unencrypted connection makes them vulnerable to eavesdropping, giving a
correctly-positioned attacker the opportunity to gain unauthorised access to
Ask.fm user accounts.