Ad network compromised to redirect users to Nuclear EK, install Carberp
Attackers targeted a server operated by New Jersey-based advertising network, Mad Ads Media, in order to redirect users to an exploit kit.
Attackers compromised an ad network's server in an apparent attempt to redirect visitors of websites using the platform to the Nuclear exploit kit (EK), new research reveals.
On Thursday, Joseph Chen, a fraud researcher at Trend Micro detailed the incident – which was first detected in April and, at its peak this month, put more than 12,000 users at risk. According to Chen, Mad Ads Media, a New Jersey-based advertising network, was targeted to further a redirect scheme which featured financial malware Carberp as the final payload of the infection chain.
While Mad Ads Media quickly investigated and remediated the issue after Trend Micro notified the company about the compromise, the security firm found that as many as 12,500 users per day were affected by the threat at its peak this past Saturday. Chen noted that the research team “initially thought that this was another case of malvertising, but later found evidence that said otherwise.”
Users were in danger of being redirected to Nuclear EK, which delivered Adobe Flash exploits targeting CVE-2015-0359, a vulnerability patched in April, Chen said. Nuclear has been used by cybercriminals to spread crypto-ransomware, he added.
In a Friday interview with SCMagazine.com, Tom Kellermann, chief cybersecurity officer at Trend Micro, said that the majority of the affected web traffic in this incident was from users in the U.S. (the blog also pointed out that significant traffic came from users in Japan and Australia).
“Chief marketing officers are being forced to acknowledge that they need to be cognizant of cyber security,” Kellermann said, referencing schemes that target internet marketers to scale larger attack campaigns. “CMOs need to be challenged to invest part of their budget in protecting the brand, and to do that they need to ensure their sites are insulated from the OWASP Top 10 [web application risks].”
In his blog post, Trend Micro's Chen noted that, as of Friday, the affected URL was no longer connecting to the Nuclear exploit kit.