Paul, an avid reader of our blog asked us to investigate flabber.nl since it led him to a Rogue-hosting website. When we initially checked it, we found nothing. Must be those geolocation-sensing ads. To solve that, Paul sent in packet logs of when he visited flabber.nl.
And soon it showed that one ad goes a long way.
+partner.googleadservices.com ++pubads.g.doubleclick.net +++ad.bannerconnect.net ++++ad.yieldmanager.com +++++("pharmacy" site that contains a link to a Rogue-hosting site) ++++++The Rogue-hosting site
From googleadservices to yieldmanager.com, it all looks like normal ad traffic. Then, an ad reference from yieldmanager.com sends it downhill to a "pharmacy" website, then to…
And when you leave, well, the Rogue website reminds you to come back..
The latest Rogue AV hosted here is already detected in our latest databases and parties were already being notified to shut down the offending websites and contact flabber.nl.
Updated to add: Flabber.nl has been very quick and vigilant in removing the offending ad and has already cleaned up their site. Thank you for the immediate action guys.