New malvertising campaign hit visitors of several high-profile sites
Some visitors to several high-profile websites last week were redirected to browser exploits that installed malware on their computers because of malicious advertisements on those sites.
The attack affected visitors to Java.com, Deviantart.com, TMZ.com, Photobucket.com, IBTimes.com, eBay.ie, Kapaza.be and TVgids.nl between Aug. 19 and Aug. 22, according to researchers from Dutch security firm Fox-IT.
“These websites have not been compromised themselves, but are the victim of malvertising,” the researchers said Wednesday in a blog post. “This means an advertisement provider, providing its services to a small part of a website, serves malicious advertisement aimed at infecting visitors with malware.”
The rogue ads were distributed through AppNexus, a company that runs a real-time online advertising platform, and redirected visitors to an instance of the Angler exploit kit, according to the Fox-IT analysis. This attack tool can exploit vulnerabilities in outdated versions of Flash Player, Java and Microsoft Silverlight to silently install malicious programs on users’ computers.
In this particular attack, hackers used the Angler exploit kit to install a variant of the Asprox botnet malware, the Fox-IT researchers said. “Asprox is a notorious spam botnet which has upped its game over these past few months by using the infected machines to perform advertisement clicking fraud.”
While Asprox is primarily known for sending spam, the malware also has other malicious functionality including scanning websites for vulnerabilities and stealing log-in credentials stored on computers.
Similar attacks have been reported across various advertising networks and websites over the years and prompted an investigation by the U.S. Senate. This latest incident suggests that their sophistication is growing.
In this particular case, attackers took advantage of an online advertising practice known as retargeting to make their attack harder to detect. Retargeting involves leaving tracking data like cookies or other files inside users’ browsers when they visit certain brand websites, so that they can later be shown ads about those brands on other sites.
“Clients were affected when they were retargeted due to having interesting tracking data,” the Fox-IT researchers said via email. “Interestingly enough, this tracking data was used to deliver malicious content.”
By being selective and displaying the rogue ads only to browsers that stored certain metadata, the attackers likely made it harder for site owners to detect the rogue content or to investigate reports from potentially affected users, as replicating the malicious behavior would have proven difficult.
The attackers also took advantage of the real-time bidding process that’s used to serve ads based on user metadata like geographical location, browser type and Web browsing history. This mechanism allows advertisers to bid in real time to display their ads to visitors that meet certain criteria.
“In the case of this malvertising campaign the malicious advertisers were the highest bidders,” the Fox-IT researchers said in their blog post.
“Malvertising is a known problem within the online ecosystem and one the industry takes very seriously,” said Graham Wylie, senior director of marketing for the EMEA and APAC regions at AppNexus via email. “In recent months we have seen increasing complexity in attacks and have taken steps to identify and remove the source of these. We provide some of the industry’s best tools for detecting and blocking questionable material and employ a team of auditors to ensure high standards are met. We are continuously learning, and make changes to our systems and processes as a result, but are unable to share any specific details as this could help those trying to bypass our safeguards.”
Photobucket, DeviantART and Oracle did not immediately respond to requests for comment about the malvertising attack that, according to Fox-IT, affected their websites.
Given the selective targeting used in the attack it’s hard to know the number of victims. However, users who visited the affected sites recently, especially during the time frame specified by Fox-IT, should scan their computers for malware.
There is no silver bullet to protect against this type of attack, but there are some methods to reduce the risk of compromise for users, the Fox-IT researchers said. These include enabling click-to-play for plug-in-based content in browsers that offer the feature, keeping browser plug-ins up to date, disabling plug-ins that are no longer needed and using ad blocking extensions.