Some of the biggest online advertising networks this weekend served malware laden ads to some of the Internet’s highest trafficked websites.
Some of the most visited sites on the Internet began delivering malware laden ads this weekend. The sites affected included The New York Times, the BBC, MSN, and AOL. Those who visited a site delivering the ads are not at risk unless they clicked on an infected ad. After clicking, users are taken to another website which attempts to infect them with either Cryptowall ransomware or a trojan that gives the attackers control of the infected computer. The good news for FOSS Force readers is that the malware seems to only work against Windows, so GNU/Linux users are considered safe.
Although the sites delivering the ads are not at fault, this attack does point to a major weakness in the current method for delivering ads to websites. The attacks affected ad networks owned by Google, AppNexis, AOL, Rubicon and possibly others, which must shoulder at least some of the blame, as they are the gateway on which most advertising supported websites, both large and small, depend to ascertain that the ads displayed to their visitors are malware free.
According to a blog post on Monday by Trend Micro, tens of thousands of users have possibly been infected by the campaign, which takes advantage of vulnerabilities in Adobe Flash, Microsoft Silverlight and other software. The cracker/hackers behind the campaign were able to deliver ads by way of a once trusted ad serving domain name, which the owner had allowed to expire in January and which had been purchased just days before the current attack.
Another security company, SpiderLabs, detailed how they initially discovered the attack.
“If the code doesn’t find any of these programs, it continues with the flow and appends an iframe to the body of the html that leads to Angler EK landing page. Upon successful exploitation, Angler infects the poor victim with both the Bedep trojan and the TeslaCrypt ransomware – double the trouble.”
According to SpiderLabs report, several other once trusted but now expired media domain names have also been snapped up in the last few days and are “exhibiting the same characteristics as brentsmedia[.]com,” meaning that this is no time for ad delivering networks to rest on their laurels.
Jerome Segura with Malwarebytes reports that the attack was preceded by a smaller attack that began on Friday delivering a different malicious payload that could have been a test run for Sunday’s large scale attack.
This latest malvertising attack, as are most others, utilized a security problem built into the delivery system of most advertising networks. Although a network may vet ads hosted and served from its own servers, often the big networks deliver ads from other sources that never touch their servers and are therefore not vetted. This practice seems to introduce a weak link into the process and is an issue that needs addressing.