Warning: All Music Guide appears to be a malware infection vector

[blue2blue]

[uPDATE: these malware ads have now hit Harmony Central! If a malware ad/pop up takes over your browser -- and it can happen in IE, Firefox, or even Safari for Windows -- immediately use the 'three-finger-salute,' ctrl-alt-delete, to bring up the task manager and shut down all instances of the affected browser. You might also want to shut down windows, as well. Anti-virus and scans by Ad-Aware and Spybot Search and Destroy may also be warranted.]

 

It is with not a little sadness that I report that the All Music Guide site appears to now be an infection vector for malware pop up advertising.

 

On a number of occasions recently while visiting AMG I had been assaulted by a modal pop up completely taking over Firefox (you can't close your browser or the pop up -- any interaction with the browser will send you directly to the malware site -- even the Alt-F4 hotkey that normally closes a Windows app window sends you to the malware site).

 

I sent an email to AMG's site operations feedback and got back what appeared to be a form email about how they try to keep their advertising as "unintrusive" as possible.

 

After several thorough scans (which removed malware-flagged tracking cookies from adviva.net, implicated in allowing malware to piggyback its cookies as well as a reported Firefox browser highjack attempt) I then set up Windows Safari (which I normally only use for testing purposes during website development) as my "All Music Guide browser"...

 

It only took about three visits to AMG before I got this:

Again, it took over the browser and forced me to do a brute force shutdown of Safari (using Win Task Manager).

 

I sent them a new message with this image attached and advised them that I would be warning others about the malware-exploits apparently using their advertising to attack visitor browsers.

 

 

I strongly advise against visiting AMG until they have got their house in order.

 

And that's too damn bad, because even though their site makeover last year made it much clumsier to use, it was still an enormously helpful repository of historic info on album releases, personnel, songwriter credits, and so on.

[spokenward]

http://www.channelregister.co.uk/2007/11/07/rogue_antispyware_ads/

 

 

Thousands of PC users have been duped into surrendering sensitive information and installing malicious software after falling victim to a complex scam that continues to plague well-known websites, a researcher warns. The scam is the latest to piggyback on banner ads that are fed to high-traffic destinations. Malicious code hardwired into the ads prompts a pop-up that warns of a bogus security threat on the visitor's machine. It offers to fix the problem in exchange for a fee and for credit card information. The ad then attempts to install a back door on the victim's machine. "These are pretty well-respected, high-traffic websites," said Don Jackson, a researcher with security provider SecureWorks. "The point is to compromise [the user's machine] and basically have it on demand." Jackson estimates the rogue ads have appeared on anywhere from "several hundred to 1,000" sites, which tend to be related to television and entertainment.

 

 

 

As is so frequently the case, those using the NoScript extension for the Firefox browser are afforded some level of protection against the ads, but not always. The ads are frequently served up by the same server hosting the trusted content. Users who allow the site to run javascript so, for example, it can provide local weather forecasts, will not be protected, Jackson said.   When a person views a page that contains a malicious ad, a threat warning will appear if the victim clicks anywhere on the page or take most other actions. The bogus anti-spyware programs bear names including Spy-shredder, AntiVirGear and MalwareAlarm.

[Rudolf von Hagenwil]

WOW !!! That a heavy accusation when spoken out publicly. I don't think AMG has anything to do with that!

 

When such a pop up appears, it is rather a security problem of your browser which is unable to block it, and/or the starter is already on your hard drive. To believe it has anything to do with the website you just visit at the moment when such a thing pops up is misleading.

 

I visit AMG every other day for some references, the AMG site is the world wide reference for record shops: "if it's not on AMG it doesn't exist." Never had any problem with my Windows standard browser which blocks 100% all pop ups and viruses.

 

.

[franknputer]

Windows standard browser which blocks 100% all pop ups and viruses.

[Rudolf von Hagenwil]

 

Okay, there is other protection software running which blocks access to my computer and I'm behind a router system too. Fact is, nothing makes it to my desk or computer

[Super 8]

I had a similar thing happen to me at AMG the other day as well. Freaked me out. I never would have expected something like that from them. I've used their site regularly for years.

 

I'd be happy to email them as well, if you have their address. This kind of stuff really pisses me off.

[blue2blue]

WOW !!! That a heavy accusation when spoken out publicly. I don't think AMG has anything to do with that! When such a pop up appears, it is rather a security problem of your browser which is unable to block it, and/or the starter is already on your hard drive. To believe it has anything to do with the website you just visit at the moment when such a thing pops up is misleading. I visit AMG every other day for some references, the AMG site is the world wide reference for record shops: "if it's not on AMG it doesn't exist." Never had any problem with my Windows standard browser which blocks 100% all pop ups and viruses. .

On the contrary -- evidently this type of malware lives on the AMG servers -- that's why our browsers don't catch the script exploit -- it's not from a third party server.

 

For sure, AMG and other sites (as you can see if you follow the link in the post above yours) have been tricked into hosting the code. (Other articles at The Register indicate CNN, The Economist and Huffington Post have also been exploited to load spyware backdoors onto people's machines).

 

But the problem seems VERY much at AMG's end -- they appear to be hosting ads with a malware component embedded in them from their very own servers.

 

 

And, frankly, I'm somehwat annoyed that they shrugged off my detailed warning of the exploit.

 

I hope they're beginning to take the threats that they are serving up a little more seriously. It seems to me they have a very real responsibility for spreading this malware. BTW, Angelo-- I hope you noted that the screenshot was from the Apple Safari browser (for Windows). And it was a fully patched version of Firefox 2 that was almost hijacked earlier in the week (as the subsequent scan revealed).

 

Thank heavens the security in IE is so much better... :D

 

Word to the wise -- watch out.

 

_________

 

PS -- I'm also a big fan of AMG and have typically used it a number of times a week, probably more than once a day. I think that's how I ended up getting hit so many times -- I had a tab set with three HC forums, three GearSlutz forums, and All Music Guide.

[blue2blue]

 

I had a similar thing happen to me at AMG the other day as well. Freaked me out. I never would have expected something like that from them. I've used their site regularly for years. I'd be happy to email them as well, if you have their address. This kind of stuff really pisses me off.

 

They have contact forms on the site. :poke: Yeah... seems kind of a double jeopardy, huh?

 

I fired them off another contact form email with a link to the article just above -- using Safari again, not that that's that much more protection, apparently.

 

The thing to do it apparently to turn off javascript in your browser -- but that's a pain -- everything uses Javascript. For site menus, search forms, links sometimes, all kinds of stuff. The article mentioned a Firefox utiltiy for turning javascript on and off in your browser, maybe that's the way to go.

 

 

Of course, we'd been naively trusting the websites we frequent to not host malicious advertising -- but as the article points out the companies that fronted for the ad buys look like a legit small agency.

 

But the goal was stealing credit card numbers and selling them on the net.

 

The malware ads are apparently still being served up at some sites (presumably like AMG) because they haven't paid attention -- or they know about them but just can't figure out how to separate legit adverts from the malware planting ads.

[Rudolf von Hagenwil]

Interesting.

 

Today I had http://wm11.allmusic.com run all day on one computer, nothing happen at all, and it never produced any pop up in the past.

[blue2blue]

I suspect that your other protections are working, Angelo.

 

But, like I said, I had browser hijack attempts in both up-to-date versions of Firefox 2 and Safari for Windows. It only took about three visits with Safari (luck of the draw, perhaps). But with FF, as I mentioned, I had AMG set up in a tabbed browsing setup that got refreshed a lot.

 

And, if you read the linked article farther down, you'll see that AMG isn't the only site so affected.

 

Though it may be more lax about security than the others, judging from the response I got when I reported the attack.

 

Like I said, I'm quite bummed, beause I, too, used AMG a lot... it is an invaluable resource and I hope they will start getting their house in order ASAP.

[Rudolf von Hagenwil]

 

... and I hope they will start getting their house in order ASAP.

 

 

They better clean the site up, or the visits will drop and their income too.

[blue2blue]

I'm sure they will... at least I sure hope they will.

 

I've sent them two messages through their tech support contact form and, when they replied to the first, I replied with more specific info on the subsequent hijack attempts, which clearly were tied to advertising on their site (since AMG was the only place I'd gone with Safari that session). I haven't got any further info from them besides the (apparent) form letter so, either they are inundated with complaints, or they're just shrugging it off.

[Cry Logic]

 

The thing to do it apparently to turn off javascript in your browser -- but that's a pain -- everything uses Javascript. For site menus, search forms, links sometimes, all kinds of stuff. The article mentioned a Firefox utiltiy for turning javascript on and off in your browser, maybe that's the way to go.

 

 

Noscript

Enable/disable javascript in Firefox on a site by site basis..

All sites are disabled by default until you enable them...

It's interesting how many sites work fine without the javascript.

I won't run FireFox without it...

[blue2blue]

Thanks FW... ever since my unpleasant experience, this has been in the back of my mind.

 

I'm gonna do it.

UPDATE: I'm back. I did it. It was easy and the interface is slick. It stays out of the way until you need it. Very cool! This editor doesn't work so well without javascript though... heh.

[Jon Doe]

And in IE you can add the site to the "Restricted Sites" group under the security tab. Once you do that the active content will not run when you go there.

[blue2blue]

Good tip, thanks, Jon!

[Philter]

I just had this happen to me on Firefox, on my Mac, when I came to Harmony Central.

[Philter]

By the way I haven't visited AMG for months if not years. There was a banner on the top of the political party just as I was forwarded- this in itself is odd because I block all ads via adblock.

[goldear]

I just got my first suspect popup at Harmoney Central. So, maybe your complaints are working to inspire revenge. Or it could just be a coincidence. And no, this is not a joke.

[alphajerk]

it happened to me here at this forum just a bit ago. what did you do B2B?

[daklander]

Hit me when I hit the forums this morning as well. I'm running Linux and was able to close out Firefox.

[Super 8]

I just got another popup trying to get me to install their software. I wasn't on the AMG site, so I guess I'm infected with something.?

AVG scans my computer everyday, but hasn't found anything.

 

How do I get rid of this?

[alphajerk]

i dont think it infects you locally if you dont install it. i think it is a server issue with a redirect somehow.

[blue2blue]

 

it happened to me here at this forum just a bit ago. what did you do B2B?

 

 

Right.

 

I'll quote myself from what I just posted over in the songwriting forum -- with the important proviso that I am not a security expert:

 

If malware takes over/locks up your Windows based browser -- I've had it happen in Firefox and Safari for Windows, locking up the browsers seemingly completely -- use the ctrl-alt-delete 'three finger salute' to bring up the Windows Task Manager and at the very least , shut down all instances of the afflicted browser. DO NOT try to control the browser, even with something as "safe" as the Alt-F4 window closing shortcut -- you'll likely be taken to the bad guys site where an unpatched browser could be automatically infected, or a patched browser will display socially engineered "come ons" of the "download free video codec" or "your computer is running slow and may be infected" type. Again, the only safe recourse is to use the Win Task Manager to shut it down (and maybe shut down your whole session). If such a malware exploit starts downloading/installing, close down anyway you can (I once pulled the plug when a careless keystroke started a malware install). Then do a thorough scan using up to date malware/antivirus scanning software (I use the free online scans from Trend Micro's Housecall or Bitdefender) to find and remove any partially downloaded bits. I've also used Ad-Aware and Spybot Search and Destroy in addition to remove exploitable tracking cookies and other potential threats. Now -- PREVENTIVE ACTION -- on recommendations from others, I installed the "noscript" Firefox add in . (You can search the Firefox add-ins for it.) It seems to work well, taking only a small bit of overhead and lets you set permission levels on the fly for sites you visit (it blocks javascript by default unless you tell it to let it run). You can also temporarily allow script on a site. It also protects against the frequenly exploited "cross-server scripting" used by some legit services but also used to infect the unsuspecting with malware/spyware. (The target with much of this is credit card and password collection but all kinds of nasty things can happen once a back door is installed on your machine. New meaning to the word, " owned. ") Internet Explorer users -- it's very important to keep your browser patched. The latest version of IE (IE7) has similar anti-malware scripting built in -- but you may need to tinker with your user preferences/security settings to get the level of aggressive protection that the current level of attacks warrants. (When activated, the scripting protection asks you if you want to run various forms of javascript or Active X scripting at different sites -- so you can allow it for, say, your bank, but disallow it for, you know, those Russian porn sites you love. (Just kidding. I know you're way too savvy to go straight into the devil's den... porn sites, warez sites -- even some lyrics sites -- a lot of stuff in the gray area -- are common infection vectors for malware.) And, Mac users , don't start feeling too smug, they're now targeting you with similar socially-engineered exploits, trying to entice you to voluntarily install malware under the guise of video codecs, helper programs, utilities, etc.

 

[DevilRaysFan]

 

it happened to me here at this forum just a bit ago. what did you do B2B?

 

 

This happened to me last night while responding to the Robot Guitar thread....I thought it was an isolated incident: Its scary to see others have had this happen......