I give a look around, and I found that the problem is wide, going on from some months and still alive, and @libero.it users are complaining. Libero.it knows that, but keeps minimizing. For them is something to be left in the user's hands, the case is closed. I think that is a too huge number of users involved to simply wash their hands. It's a pitiful excuse and they seem not need to keep users more informed. Their only other post after May 29 is one on June 14 to inform users of a blackout.
At the beginning of this spam campaign, that goes on form about three months if not more, I had the opportunity to analyze a customer's PC that had strange behaviors. The computer was working but had lost internet connection. The problem was in the ADSL router that propagated a faulty DNS through DHCP. She was in a hurry because needed to read her emails, and both email and ADSL was provided by @libero.it.
Solved the DNS problem, she clicks on her desktop links pointing to Libero home page, and the browser immediately downloads an update for Chrome. The Avira Antivirus remains quiet but I know that Chrome is self updating and never prompts users from download, so I forbid immediately to open the update.
I uploaded it immediately on VirusTotal that shows that about 20 AV on about 50 consider it a trojan. I doubt that Libero.it is deliberately infecting their users, but maybe has been in some way hacked. After clearing the browser cache I tried to reload the page, but this time there are no downloads. My job is done, but I carefully warned the user to not accept and download updates from untrusted source. Should one day Chrome need explicit updates they have to come from Google site and not from others.
Time has passed but the problem (and spam messages) remains. My GMail account filters out spam very efficiently so I have little evidence of it. Suddenly an idea pops off, I have some friends with an @libero.it mailboxes, that are sending me mail, without any sign of spam, and the rate of spam messages has been a bell shaped curve, not a single burst. This means that this was not a "data breach" against Libero.it, some users are more vulnerable than others.Which ones?
It seems that the problem is hitting webmail users, and who was using MSOutlook or Thunderbird is untouched. On the others side the problem seems involving only @libero.it users and not other webmail users. So the root cause should be there.
Gmail and Hotmail have a very clean login, without any ads, a very different situation from @libero.it. Honestly I use an adblocker so for me is a rare event to see ads on web pages. To see that difference I shut down the adblocker In my opinion that was and may be still is their problem. This could be a tipical maladvertising case, a kind of malware on the rising edge. In this incident, anyone that was hit from that site had the same email provider, and the first credentials stolen was probably the email account, so the flow of spam from @libero.it.
It's a good way to infect a site, you don't need even to hack it. You just buy the space from an ad from an ad provider, start using with a ligitimate and innocuous ad, then switch to a more malicious one.
In those cases a good adblocker is worth more than an antivirus. An interesting lesson learned.
