As the practice of delivering malware through online ads becomes increasingly popular among cyber criminals, the advertising industry has to rethink how it handles online advertisements.
In the month of August alone, researchers at the antivirus firm Malwarebytes have found and reported several so-called malvertising campaigns, including the big campaign that inserted malicious ads into the ad network used by Yahoo and its subsites, such as News, Finance, and Games. The same bad actor also tricked the ad network used by eBay. Similar campaigns impacted visitors to dating site PlentyOfFish and the media content site for Australian telecommunications provider Telstra this week, and the same ad network displayed malicious ads on MSN, Malwarebytes said.
The malvertising campaign that tripped up Yahoo.com visitors was the work of a Russian threat actor called Fessleak, said Patrick Belcher, director of security analytics at Invincea. Fessleak purchased video display advertisements via a real-time ad bidding network to target Yahoo visitors and infect them with click-fraud bots and deliver ransomware. It turns out Fessleak always includes Flash zero days in his campaigns, making it easier to target a large number of victims who would have no chance to patch those flaws.
The zero-day exploits from the Hacking Team, the maker of government surveillance software, breach becoming public last month "was a bonanza" for Fessleak, Belcher said. While Adobe has patched the vulnerabilities, users who have not yet applied the updates are susceptible to the attack.
The mechanics of malvertising
A malvertising campaign is essentially two parts: The advertisement itself, which typically redirects victims to a different website, and the attack website, which typically hosts an exploit kit, such as Angler or Nuclear.
The exploit kit is packed with several different attack methods and looks for unpatched software or other vulnerabilities to push the payload — malware for click fraud and botnets, ransomware, and banking Trojans, to name a few types — onto user machines. Exploit kits including Flash zero days are popular at the moment, Belcher said.
In the case of Telstra, visitors saw a malicious ad purporting to be a Lamborghini Gallardo for sale, but the shortened URL (via Google's link shortener) sent users to a separate website with a Nuclear exploit kit pushing a banking Trojan, according to Jerome Segura, a researcher with Malwarebytes.
The criminal doesn't really have a specific site or user group in mind when introducing malicious ads into the ad network, but rather a category of sites or a profile of a typical victim. The network decides when and on which site to display the ad, depending on the categories specified by the advertiser. Fessleak targets commerce sites, for example, but another popular target is the broadband category, which include sites owned by ISPs and telcos, such as Telstra, Belcher said.
Sign up for CIO Asia eNewsletters.