The above sums it up. McAfee SiteAdvisor shows our site (lucire.com) to be a “red” one in the Add-on bar in Firefox, but when I click through, it reports that we are clean (https://www.siteadvisor.com/sites/http://lucire.com). Every link to our site in search results, Facebook, etc. also has a red X next to it.
Background: hackers did get in to our ad server on April 6. We fixed this immediately. Hence, the ad server (ads.jyanet.com) is reported as a green site (rightly). We never had any malware though for a few hours on the 6th, the hack tried to link our site to one that hosted malware. I should note that the hackers used what appeared to be Google Adsense code.
Why McAfee is showing lucire.com as red, I do not know. StopBadware.org and Sucuri all show us to be clean, and Google eventually put things right last week, too.
Hayton and Peter, thank you both. Hope it can get sorted soon (the red is still there). Interestingly, McAfee gave us green until Thursday or Friday, even though we were clean by then. It was only last Saturday (the 6th) that we had the hack.
I see SiteAdvisor gives your site a Green rating, and all the links to it that SiteAdvisor knows about are also Green.
TrustedSource also shows the site and its links are Green.
When I visited the site there was a black banner at the top of the webpage notifying that some external (third-party) content had been blocked. Sure enough, on the right-hand side about half-way down there was a shaded box with a do-not-enter symbol.
The Alt text for this box reads as follows (I have highlighted the important parts of the message)
URL http://ads.creafi-online-media.com/st?ad_type=iframe&ad_size=300x250&section=1951182 is blocked
iframes are inherently suspect from a security point of view because they permit malware to be inserted dynamically into a web page. I doubt that the iframe itself is the reason for the block, though. NoScript in Firefox blocks this iframe and also another one some way above it (along with an extensive list of third-party content). I haven't found any reason for creafi-online-media to be singled out for blocking by SiteAdvisor, so it must be that the content of the iframe was analysed and decided to be suspect, and so was blocked.
That is not the only place I see this problem on the site, but in all cases it appears to be content from creafi-online-media that is being blocked. It's difficult to see exactly what the blocked content is, because I have AdBlock and DoNotTrackMe running, and my security settings are restrictive. I can see 8 or 9 advertising companies on various webpages which are blocked from tracking me on your site. On some pages the blocked content is invisible - it is not allowed to display at all.
Nevertheless it seems likely that the blocked iframe is attempting to deliver a Flash advertisement, and SiteAdvisor believes the content of this iframe to be unsafe. Until you can get that Flash advertisement declared safe (and find out where exactly it comes from), perhaps you should just temporarily remove the link from your webpages.
You might also want to correct something on your site that is causing a couple of security warning when Sucuri scans it -
Hi Hayton: thank you. That’s a really good clue—in the past, we’ve noticed SiteAdvisor block the odd Doubleclick one, but not Creafi. They all display for me but it’s likely it’s a geo-targeted ad that has been deemed dodgy. I can mention it to the guys there and see if we can get that sorted, or remove them as you say.
Do you think that would cause the red warning in my browser though? I’m still seeing it in my browser but if I click through, everything is green.
Those two pages that Sucuri deems unsafe do not exist (I have just checked), so I am not sure what it’s referring to. I’ll have our web dev check through them.
On a Google search for your site some of the results were flagged Red, while most are Green.
I called up half a dozen of the Red pages and looked to see what was being blocked. In all cases the Red rating is caused by that one advertisement from creafi-online-media. If you take that out, I would expect your site to show Green in all Google searches.
SiteAdvisor and TrustedSource give your site a Green rating on their site pages because what's being flagged is this is dynamic content - and also external content - and the block is being done as the page is scanned during download. I assume that the Red flags in Google searches are the result of feedback to Google from SiteAdvisor when the content is first flagged.
If you override a SiteAdvisor blocking page and decide to go to a webpage that SiteAdvisor is warning you about, SiteAdvisor will add that webpage to a whitelist, so you won't get blocked again. The SiteAdvisor icon in the browser will still show Red (or Yellow) though.
As an experiment I called up one of the Red-flagged pages in Chrome (without SiteAdvisor) and disabled a number of blocking filters in order to get this advertisement to display. It didn't look like a Flash advertisement, just an image (with Creafi's name and some other text overlaid).
I then right-clicked on it to inspect its make-up and see what was so special about it.
Google Chrome crashed immediately.
I think that says something, but I'm not sure what.
Message was edited by: Hayton on 15/04/13 02:27:26 IST
Wow. Hayton, this is going above and beyond. Thank you—this is fantastic. I’ll remove as many of the Creafi ads as I can, so that’ll be step one. I haven’t got in touch with the Creafi guys yet but I’m going to refer them to this page. In the meantime, I’ll do as you advised for the pages I’m seeing as red-flagged here.
I submitted the URL of this advertisement to JSUNPACK for analysis. The result returned was "Benign". That doesn't prove there's nothing suspect about this advertisement, but it does at least provide some more information. JSUNPACK have another report on one of their advertisements, if you care to look for it.
I find references to Creafi-media-online in quite a number of malware incident reports (ThreatExpert reports, discussions on Ubuntu forums and many other places). They always seem to be tangentially involved rather than prime culprits, but their name occurs rather too often. Perhaps their server security isn't as good as it should be.Message was edited by: Hayton on 15/04/13 04:07:54 IST