Incident Response, TDR

Malvertising affected websites with millions of monthly visits for three weeks

For about three weeks beginning around Aug. 16, a large number of high-traffic websites – some with tens of millions of visits per month – were observed distributing malware as part of a stealthy malvertising campaign.

Researchers with Malwarebytes worked with affected advertising networks to end the campaign, but some of the websites impacted during the run included ebay.co.uk, drudgereport.com, answers.com, wowhead.com, ehowespanol.com, and several popular pornographic websites, a Monday post said.

Among the affected advertising networks were DoubleClick, AppNexus, engage:BDR and ExoClick. The threat actors posed as legitimate advertisers and used techniques to hide malicious traffic redirections, and they were so effective that they were able to evade most detection systems, the post said.

The redirections ultimately took visitors to the Angler Exploit Kit, which was observed targeting a vulnerability in Internet Explorer (CVE-2015-2419) and a flaw in Adobe Flash Player (CVE-2015-5560), Jerome Segura, senior security researcher with Malwarebytes, told SCMagazine.com in a Tuesday email correspondence.

“There are at least two different threads used by Angler Exploit Kit operators and one of them is known to distribute Bedep, a large botnet involved in ad fraud and ransomware,” Segura said, adding, “The redirection chain is seamless and happens within seconds. No user interaction is needed, other than being at the wrong place at the wrong time.”

As per Malwarebytes telemetry, 46 percent of users landing on the Angler Exploit Kit for this campaign are in the U.S. and 36 percent are in the U.K. The remaining users are located in Australia, Poland and Canada, each with six percent.

Malwarebytes has multiple reasons to believe that the threat actors here were also behind other recent malvertising campaigns, including an August attack against popular dating website PlentyOfFish.

“First, the use of URL shorteners, such as goo.gl was the trademark of this gang,” Segura said. “Then halfway through the campaign, we noticed a change to a new shortener, possibly because the intense scrutiny on the Google one was hurting their redirection flow. Finally, the use of Angler via malvertising attacks on very large publishers ties it all in.”

According to the post, this attack served as an example as to why screening advertisers is important, particularly when the advertisers are able to host and serve the ad content.

“The ad could be clean or booby trapped, but the rogue actors are in full control of the delivery platform and can instruct it to perform nefarious actions that will easily bypass most security checks,” the post said.

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms and Conditions and Privacy Policy.