Menu
New malvertising campaign hit visitors of several high-profile sites

New malvertising campaign hit visitors of several high-profile sites

Attackers redirected users to Web-based exploits by pushing malicious advertisements onto popular sites, researchers from Fox-IT said

Some visitors to several high-profile websites last week were redirected to browser exploits that installed malware on their computers because of malicious advertisements on those sites.

The attack affected visitors to Java.com, Deviantart.com, TMZ.com, Photobucket.com, IBTimes.com, eBay.ie, Kapaza.be and TVgids.nl between Aug. 19 and Aug. 22, according to researchers from Dutch security firm Fox-IT.

"These websites have not been compromised themselves, but are the victim of malvertising," the researchers said Wednesday in a blog post. "This means an advertisement provider, providing its services to a small part of a website, serves malicious advertisement aimed at infecting visitors with malware."

The rogue ads were distributed through AppNexus, a company that runs a real-time online advertising platform, and redirected visitors to an instance of the Angler exploit kit, according to the Fox-IT analysis. This attack tool can exploit vulnerabilities in outdated versions of Flash Player, Java and Microsoft Silverlight to silently install malicious programs on users' computers.

In this particular attack, hackers used the Angler exploit kit to install a variant of the Asprox botnet malware, the Fox-IT researchers said. "Asprox is a notorious spam botnet which has upped its game over these past few months by using the infected machines to perform advertisement clicking fraud."

While Asprox is primarily known for sending spam, the malware also has other malicious functionality including scanning websites for vulnerabilities and stealing log-in credentials stored on computers.

Similar attacks have been reported across various advertising networks and websites over the years and prompted an investigation by the U.S. Senate. This latest incident suggests that their sophistication is growing.

In this particular case, attackers took advantage of an online advertising practice known as retargeting to make their attack harder to detect. Retargeting involves leaving tracking data like cookies or other files inside users' browsers when they visit certain brand websites, so that they can later be shown ads about those brands on other sites.

"Clients were affected when they were retargeted due to having interesting tracking data," the Fox-IT researchers said via email. "Interestingly enough, this tracking data was used to deliver malicious content."

By being selective and displaying the rogue ads only to browsers that stored certain metadata, the attackers likely made it harder for site owners to detect the rogue content or to investigate reports from potentially affected users, as replicating the malicious behavior would have proven difficult.

The attackers also took advantage of the real-time bidding process that's used to serve ads based on user metadata like geographical location, browser type and Web browsing history. This mechanism allows advertisers to bid in real time to display their ads to visitors that meet certain criteria.

"In the case of this malvertising campaign the malicious advertisers were the highest bidders," the Fox-IT researchers said in their blog post.

"Malvertising is a known problem within the online ecosystem and one the industry takes very seriously," said Graham Wylie, senior director of marketing for the EMEA and APAC regions at AppNexus via email. "In recent months we have seen increasing complexity in attacks and have taken steps to identify and remove the source of these. We provide some of the industry's best tools for detecting and blocking questionable material and employ a team of auditors to ensure high standards are met. We are continuously learning, and make changes to our systems and processes as a result, but are unable to share any specific details as this could help those trying to bypass our safeguards."

Photobucket, DeviantART and Oracle did not immediately respond to requests for comment about the malvertising attack that, according to Fox-IT, affected their websites.

Given the selective targeting used in the attack it's hard to know the number of victims. However, users who visited the affected sites recently, especially during the time frame specified by Fox-IT, should scan their computers for malware.

There is no silver bullet to protect against this type of attack, but there are some methods to reduce the risk of compromise for users, the Fox-IT researchers said. These include enabling click-to-play for plug-in-based content in browsers that offer the feature, keeping browser plug-ins up to date, disabling plug-ins that are no longer needed and using ad blocking extensions.

Follow Us

Join the New Zealand Reseller News newsletter!

Error: Please check your email address.

Tags DeviantARTFox-ITonline safetysecurityDesktop securityPhotobucketAppNexusmalwareOracle

Featured

Slideshows

Educating from the epicentre - Why distributors are the pulse checkers of the channel

Educating from the epicentre - Why distributors are the pulse checkers of the channel

​As the channel changes and industry voices deepen, the need for clarity and insight heightens. Market misconceptions talk of an “under pressure” distribution space, with competitors in that fateful “race for relevance” across New Zealand. Amidst the cliched assumptions however, distribution is once again showing its strength, as a force to be listened to, rather than questioned. Traditionally, the role was born out of a need for vendors and resellers to find one another, acting as a bridge between the testing lab and the marketplace. Yet despite new technologies and business approaches shaking the channel to its very core, distributors remain tied to the epicentre - providing the voice of reason amidst a seismic industry shift. In looking across both sides of the vendor and partner fences, the middle concept of the three-tier chain remains centrally placed to understand the metrics of two differing worlds, as the continual pulse checkers of the local channel. This exclusive Reseller News Roundtable, in association with Dicker Data and rhipe, examined the pivotal role of distribution in understanding the health of the channel, educating from the epicentre as the market transforms at a rapid rate.

Educating from the epicentre - Why distributors are the pulse checkers of the channel
Kiwi channel reunites as After Hours kicks off 2017

Kiwi channel reunites as After Hours kicks off 2017

After Hours made a welcome return to the channel social calendar last night, with a bumper crowd of distributors, vendors and resellers descending on The Jefferson in Auckland to kickstart 2017. Photos by Maria Stefina.

Kiwi channel reunites as After Hours kicks off 2017
Arrow exclusively introduces Tenable Network Security to A/NZ channel

Arrow exclusively introduces Tenable Network Security to A/NZ channel

Arrow Electronics introduced Tenable Network Security to local resellers in Sydney last week, officially launching the distributor's latest security partnership across Australia and New Zealand. Representing the first direct distribution agreement locally for Tenable specifically, the deal sees Arrow deliver security solutions directly to mid-market and enterprise channel partners on both sides of the Tasman.

Arrow exclusively introduces Tenable Network Security to A/NZ channel
Show Comments