Threat Management, Malware, Network Security, Vulnerability Management

Large malvertising campaign uses casino sites to unload Angler Exploits

Researchers at Malwarebytes identified a large malvertising campaign that is automatically redirecting users to casino websites that are being used as decoys to perform “drive-by-downloads” of Angler Exploit Kits.

The scheme started with a "malicious ad displaying on a victim's web page, at which point the victim would be redirected to a casino website used as a decoy to silently load malware onto the machine,” Jerome Segura, senior security researcher at Malwarebytes Labs, said in a statement emailed to SCMagazine.com.

Researchers believe the campaign launched on Oct. 21 and said the attack preyed on the visitors of “sketchy websites” that offered content ranging from torrents of copyrighted movies, live stream of movies, and pirated software, according to a Nov. 17 blog post

It is unclear how many were infected by the exploit kits but researchers noted that the three casino sites that acted as the intermediary for the exploit kit had a combined total of more than 1 million visits while the ad network generated more than 2 billion visits in October, according to the post.

“In all likelihood, a very large number of people were exposed to malware because of this campaign,” Segura said.

Researchers said in the blog that the ad networks were almost all registered via "Domains By Proxy LLC, meaning no information was available about the registrant but they were all through GoDaddy and on the same ASN: AS15169,” according to the post.

Segura said the researchers were able to identify one of the ad networks as AdCash and that they believe that all of the malicious ad networks were ran by AdCash because they used the same ad call parameters.

Due to the nature of the content offered on the infected sites, researchers speculated that site publishers would be unlikely to report the malicious activity of ads hosted on their sites.

None of the individual malvertising attacks stood out alone but the fact that they were all connected is what made the campaign unique, the post said.

Segura said that users should avoid visiting risky sites to prevent infection and use caution if they do.

“Make sure your computer first of all is up to date,” Segura said adding that the malware “will try to exploit vulnerabilities that have most likely been patched.”

He recommended using anti-virus, anti-exploit, and anti-malware software for added protection. 

UPDATE: An AdCash spokesperson told SCMagazine.com via email correspondence that the campaign itself was stopped and that an investigation into the incident has been launched. "We encourage a culture of “full disclosure” and will proactively investigate any potentially non-compliant campaigns that are reported to us and use that information to improve our product, processes and services," the spokesperson said.  

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms and Conditions and Privacy Policy.