Security → Re: foxnews.com infected?

The actual infection is pretty nicely covered with the existing comments here, but how does this malware actually hide?

The advertising is loaded from the advertising servers, i.e. it might be hosted there or it might be external contents that is injected in an iframe.

There are two ways that the fake av is initiated after this initial advertising loading.

Javascript redirect - done by hacking the server containing the ad and adding or modifying existing script files.

.htaccess redirect - done by hacking the server containing the ad and forcing a redirect based on the referrer. i.e. The ad can be displayed on multiple sites, but only if it is embedded in particular sites, will it trigger a redirect. - This is most often seen on search engine redirects.

I am also interested in how it "hides" as well...

Last infection I got on one of my machines (first one in years), was likely due to an iframe. That, or the unlikely chance that an infected gmail "news ticker" (whatever its called above the inbox - which I've disabled since then...) did it.

iframes have also been forbidden in noscript ever since that.

Agree with a post earlier - this is why I have zero qualms about using adblockplus, and especially noscript. Two of the best plugins IMHO.

Was shocked, however, to still get an infection with these two plugins......
iFrames have only been "forbidden" on the one machine I saw the infection on. On others, I've left noscript at its default settings for the most part.