New malvertising campaign hit visitors of several high-profile sites

Attackers redirected users to Web-based exploits by pushing malicious advertisements onto popular sites, researchers from Fox-IT said

Some visitors to several high-profile websites last week were redirected to browser exploits that installed malware on their computers because of malicious advertisements on those sites.

The attack affected visitors to Java.com, Deviantart.com, TMZ.com, Photobucket.com, IBTimes.com, eBay.ie, Kapaza.be and TVgids.nl between Aug. 19 and Aug. 22, according to researchers from Dutch security firm Fox-IT.

"These websites have not been compromised themselves, but are the victim of malvertising," the researchers said Wednesday in a blog post. "This means an advertisement provider, providing its services to a small part of a website, serves malicious advertisement aimed at infecting visitors with malware."

The rogue ads were distributed through AppNexus, a company that runs a real-time online advertising platform, and redirected visitors to an instance of the Angler exploit kit, according to the Fox-IT analysis. This attack tool can exploit vulnerabilities in outdated versions of Flash Player, Java and Microsoft Silverlight to silently install malicious programs on users' computers.

In this particular attack, hackers used the Angler exploit kit to install a variant of the Asprox botnet malware, the Fox-IT researchers said. "Asprox is a notorious spam botnet which has upped its game over these past few months by using the infected machines to perform advertisement clicking fraud."

While Asprox is primarily known for sending spam, the malware also has other malicious functionality including scanning websites for vulnerabilities and stealing log-in credentials stored on computers.

Similar attacks have been reported across various advertising networks and websites over the years and prompted an investigation by the U.S. Senate. This latest incident suggests that their sophistication is growing.

In this particular case, attackers took advantage of an online advertising practice known as retargeting to make their attack harder to detect. Retargeting involves leaving tracking data like cookies or other files inside users' browsers when they visit certain brand websites, so that they can later be shown ads about those brands on other sites.

"Clients were affected when they were retargeted due to having interesting tracking data," the Fox-IT researchers said via email. "Interestingly enough, this tracking data was used to deliver malicious content."

By being selective and displaying the rogue ads only to browsers that stored certain metadata, the attackers likely made it harder for site owners to detect the rogue content or to investigate reports from potentially affected users, as replicating the malicious behavior would have proven difficult.

The attackers also took advantage of the real-time bidding process that's used to serve ads based on user metadata like geographical location, browser type and Web browsing history. This mechanism allows advertisers to bid in real time to display their ads to visitors that meet certain criteria.

"In the case of this malvertising campaign the malicious advertisers were the highest bidders," the Fox-IT researchers said in their blog post.

"Malvertising is a known problem within the online ecosystem and one the industry takes very seriously," said Graham Wylie, senior director of marketing for the EMEA and APAC regions at AppNexus via email. "In recent months we have seen increasing complexity in attacks and have taken steps to identify and remove the source of these. We provide some of the industry's best tools for detecting and blocking questionable material and employ a team of auditors to ensure high standards are met. We are continuously learning, and make changes to our systems and processes as a result, but are unable to share any specific details as this could help those trying to bypass our safeguards."

Photobucket, DeviantART and Oracle did not immediately respond to requests for comment about the malvertising attack that, according to Fox-IT, affected their websites.

Given the selective targeting used in the attack it's hard to know the number of victims. However, users who visited the affected sites recently, especially during the time frame specified by Fox-IT, should scan their computers for malware.

There is no silver bullet to protect against this type of attack, but there are some methods to reduce the risk of compromise for users, the Fox-IT researchers said. These include enabling click-to-play for plug-in-based content in browsers that offer the feature, keeping browser plug-ins up to date, disabling plug-ins that are no longer needed and using ad blocking extensions.

Join the newsletter!

Error: Please check your email address.
Rocket to Success - Your 10 Tips for Smarter ERP System Selection

Tags DeviantARTFox-ITonline safetysecurityDesktop securityPhotobucketAppNexusmalwareOracle

Keep up with the latest tech news, reviews and previews by subscribing to the Good Gear Guide newsletter.

Lucian Constantin

IDG News Service
Show Comments

Most Popular Reviews

Latest Articles

Resources

PCW Evaluation Team

Ben Ramsden

Sharp PN-40TC1 Huddle Board

Brainstorming, innovation, problem solving, and negotiation have all become much more productive and valuable if people can easily collaborate in real time with minimal friction.

Sarah Ieroianni

Brother QL-820NWB Professional Label Printer

The print quality also does not disappoint, it’s clear, bold, doesn’t smudge and the text is perfectly sized.

Ratchada Dunn

Sharp PN-40TC1 Huddle Board

The Huddle Board’s built in program; Sharp Touch Viewing software allows us to easily manipulate and edit our documents (jpegs and PDFs) all at the same time on the dashboard.

George Khoury

Sharp PN-40TC1 Huddle Board

The biggest perks for me would be that it comes with easy to use and comprehensive programs that make the collaboration process a whole lot more intuitive and organic

David Coyle

Brother PocketJet PJ-773 A4 Portable Thermal Printer

I rate the printer as a 5 out of 5 stars as it has been able to fit seamlessly into my busy and mobile lifestyle.

Kurt Hegetschweiler

Brother PocketJet PJ-773 A4 Portable Thermal Printer

It’s perfect for mobile workers. Just take it out — it’s small enough to sit anywhere — turn it on, load a sheet of paper, and start printing.

Featured Content

Product Launch Showcase

Latest Jobs

Don’t have an account? Sign up here

Don't have an account? Sign up now

Forgot password?