Ad Serving Firm Delivers Virus
Falk AG became an agent of the Bofra virus on Saturday, delivering the exploit to users whose browsers requested ads from its customers' sites.
Ad management firm Falk AG briefly became an agent of the Bofra virus on Saturday, delivering the Internet Explorer exploit to users whose browsers requested ads from its customers’ sites. The incident occurred between 12:10 a.m. and 6:30 a.m. Eastern Standard Time.
“On Saturday a virus was found on the Falk network which was inadvertently redistributed to a small number of users,” the company said in a statement.
Falk estimated two percent of its users received the virus, which it removed shortly after detection. Bofra originated on the company’s European network, but the statement did not address whether it had spread to publisher clients in other regions.
Falk’s publisher clients include Sony Pictures Digital, NBC Universal, Interep Interactive, AtomShockwave, The Golf Channel and The Register.
The Register, a tech-focused Web site, issued an alert to its readers on Sunday following the incident. The publisher urged users who visited in that window to update their virus software, and said it had suspended its patronage of Falk pending a deeper explanation of the incident. As of Monday morning, the publisher did not appear to be serving ads.
The Register also published a statement it received from Falk that differed from the one the ad serving company issued to the media. In it, Falk said the virus entered its network through a hacker attack on one of its load balancers. A load balancer is software that handles even distribution of ads to all servers.
“The use of a weak point in one of our load balancers led to user requests not being passed to the ad servers,” that statement said. “Instead the user requests were answered with a 302 redirect to a compromised website. This happened with approximately every 30th request. Users visiting websites that carry banner advertising delivered by our system were periodically delivered a file from the compromised site. This file tries to execute the IE-Exploit function on the users’ computer.”
Falk promised another statement would be released today, more fully explaining the incident.
Interactive marketing blog MarketingVOX first spotted The Register‘s statement and reported the incident.
