A compromise of advertising network Netseer's site, coupled with the broad blacklisting of its domain, resulted in malware alerts popping up on major Websites.
A red-bordered malware alert greeted users of Google's Chrome browser when they visited major Websites, such as ZDNet
and The Guardian UK
, for much of the morning of Feb. 4.
Yet the news sites were not compromised; instead, the warning arose from the hack of third-party advertising network Netseer's home page and Google’s broad blacklisting of the company's domain, netseer.com.
Google blacklisted the domain earlier in the day through the Internet giant's Safe Browsing technology. Yet, because Netseer serves up advertisements to its clients using the same domain, malware warnings greeted many visitors to those Websites, as well.
Google's Safe Browsing technology flags potentially malicious search results on Google's search pages and blocks the Chrome browser from going to potentially hostile sites
. In this case, however, there was no danger, Sanjiv Ghate, vice president of products for Netseer, said in a statement to eWEEK
"Our ad-serving infrastructure is completely different from the corporate Website but shares the same domain (netseer.com
)," Ghate said. "So although the malware never impacted the ad serving, all our ad-serving partners saw Chrome and other browsers flagging malware warnings to users."
The incident began at 8:30 a.m. EST Feb. 4 when Netseer's Website was compromised and made to serve up malicious software, or malware, to visitors, the company said. Google added the site to its blacklist.
"Our operations team went into all-hands-on-deck mode, and we have successfully cleaned the site of the malware issue," the company said in an email sent to eWEEK
at 11:48 a.m. EST. "We are also working with Google to do an expedited review of the site and remove the site from the malware-impacted site-list so that browsing behavior can be restored for all users."
The company began notifying its partners at the same time, recommending that they remove any third-party content leading back to the netseer.com domain from their site. By the end of the day, Google searches no longer tagged Netseer results with the malware tag—"This site may harm your computer"—but other technology, such as routers, that regularly update their internal blacklists using Google's Safe Browsing list, could continue to flag the site, and its partners, as malicious.
Initially, the warnings were thought to be related to a malvertising scheme
, which uses advertising networks to distribute malicious code or links to malicious code to unwitting Website visitors. The scheme can be very successful because it can appear that a malicious advertisement is being pushed to major Websites.
"We have seen it accelerate over the last couple of years at least," said Yishay Yovel, vice president of marketing for online-security firm Trusteer. "You don't need to compromise a Website or the ad servers; you have to just submit an advertisement."
While the actual advertisements served by Netseer's system were apparently not malicious, the widespread warnings seen by Google Chrome users demonstrate how far-reaching such an attack can become. In addition to ZDNet and The Guardian, the warnings reportedly affected TheStreet.com, Boston.com, CNET News.com, The New York Times and The Huffington Post.