Earlier this week major websites including BBC, Newsweek, New York Times and MSN ‘hosted’ malvertising on their sites that has been credited as the largest of attack of its type for two years. Previously Google’s DoubleClick and Zedo ad servers were ‘infected’ and YouTube, Amazon and Yahoo websites used advertisements served from them.
Although ad serving networks try to filter out malicious ones, occasionally altered ones’ slip in. On a high-traffic site, this means a large pool of potential victims. Websites that serve the ads are usually unaware of the problem.
AppNexus, one of the ad servers said it has an anti-malware detection system called Sherlock it uses to screen ads and also uses a filtering product from a third-party vendor. "We devote considerable financial resources to safeguarding our customers. Unfortunately, bad actors also invest considerably in developing new forms of malware,” said Josh Zeitz, vice president of communications.
The client websites were not at fault. Cybercriminals made copies of advertisements where links had been altered to infect users with ransomware. These copies were placed in legitimate advertising publishing companies and served to websites.
Security company Flexera estimates that tens of thousands of computers have been exposed which means some may have been infected with malware or file-encrypting ransomware. Also, the advertisements connected with servers hosting the Angler exploit kit that tries to find software vulnerabilities on a computer to deliver malware.
Steve Schmidt, VP of Corporate Development at Flexera Software said, “While this story is more spectacular than most because the targets are high-profile news sites, it illustrates precisely why software vulnerability management is a prerequisite for risk reduction. The majority of successful cyber attacks against organisations worldwide use known software vulnerabilities to gain access or escalate privileges inside corporate IT infrastructures. Once hackers have successfully exploited a vulnerability, they have the base to roll out their attack, moving around systems, collecting information, and deploying malware to steal or destroy business-critical information or cause disruption.”
Schmidt says that software vulnerability management is key in mitigating this risk. “For organisations, the best starting point to protect their data is to implement software vulnerability management tools to close those entry points, before they can be exploited. The right set of tools provides timely, relevant and comprehensive intelligence from a trusted source about vulnerabilities discovered and disclosed every day that could impact the environment; and it enables IT teams to act on that information – either by applying a tested security patch, or applying workarounds like sectioning off the vulnerable application from business critical data. Well implemented Software Vulnerability Management processes effectively reduce the attack surface for cybercriminals and hackers, consequently reducing the risk of security breaches.”
Another day, another exploit. Death and Taxes are no longer the two things you can be sure of. Most anti-virus/malware companies picked up on this story and most thankfully updated detection definitions. I found an interesting article on malvertising at Trend titled ‘Malvertising – when online ads attack.
Malwarebytes also has a blog post here that shows that Google, AppNexus, AOL and Rubicon ad servers were affected.
Of course you have to click to install - human error again.