New malvertising campaign hit visitors of several high-profile sites

Attackers redirected users to Web-based exploits by pushing malicious advertisements onto popular sites, researchers from Fox-IT said

Some visitors to several high-profile websites last week were redirected to browser exploits that installed malware on their computers because of malicious advertisements on those sites.

The attack affected visitors to Java.com, Deviantart.com, TMZ.com, Photobucket.com, IBTimes.com, eBay.ie, Kapaza.be and TVgids.nl between Aug. 19 and Aug. 22, according to researchers from Dutch security firm Fox-IT.

"These websites have not been compromised themselves, but are the victim of malvertising," the researchers said Wednesday in a blog post. "This means an advertisement provider, providing its services to a small part of a website, serves malicious advertisement aimed at infecting visitors with malware."

The rogue ads were distributed through AppNexus, a company that runs a real-time online advertising platform, and redirected visitors to an instance of the Angler exploit kit, according to the Fox-IT analysis. This attack tool can exploit vulnerabilities in outdated versions of Flash Player, Java and Microsoft Silverlight to silently install malicious programs on users' computers.

In this particular attack, hackers used the Angler exploit kit to install a variant of the Asprox botnet malware, the Fox-IT researchers said. "Asprox is a notorious spam botnet which has upped its game over these past few months by using the infected machines to perform advertisement clicking fraud."

While Asprox is primarily known for sending spam, the malware also has other malicious functionality including scanning websites for vulnerabilities and stealing log-in credentials stored on computers.

Similar attacks have been reported across various advertising networks and websites over the years and prompted an investigation by the U.S. Senate. This latest incident suggests that their sophistication is growing.

In this particular case, attackers took advantage of an online advertising practice known as retargeting to make their attack harder to detect. Retargeting involves leaving tracking data like cookies or other files inside users' browsers when they visit certain brand websites, so that they can later be shown ads about those brands on other sites.

"Clients were affected when they were retargeted due to having interesting tracking data," the Fox-IT researchers said via email. "Interestingly enough, this tracking data was used to deliver malicious content."

By being selective and displaying the rogue ads only to browsers that stored certain metadata, the attackers likely made it harder for site owners to detect the rogue content or to investigate reports from potentially affected users, as replicating the malicious behavior would have proven difficult.

The attackers also took advantage of the real-time bidding process that's used to serve ads based on user metadata like geographical location, browser type and Web browsing history. This mechanism allows advertisers to bid in real time to display their ads to visitors that meet certain criteria.

"In the case of this malvertising campaign the malicious advertisers were the highest bidders," the Fox-IT researchers said in their blog post.

"Malvertising is a known problem within the online ecosystem and one the industry takes very seriously," said Graham Wylie, senior director of marketing for the EMEA and APAC regions at AppNexus via email. "In recent months we have seen increasing complexity in attacks and have taken steps to identify and remove the source of these. We provide some of the industry's best tools for detecting and blocking questionable material and employ a team of auditors to ensure high standards are met. We are continuously learning, and make changes to our systems and processes as a result, but are unable to share any specific details as this could help those trying to bypass our safeguards."

Photobucket, DeviantART and Oracle did not immediately respond to requests for comment about the malvertising attack that, according to Fox-IT, affected their websites.

Given the selective targeting used in the attack it's hard to know the number of victims. However, users who visited the affected sites recently, especially during the time frame specified by Fox-IT, should scan their computers for malware.

There is no silver bullet to protect against this type of attack, but there are some methods to reduce the risk of compromise for users, the Fox-IT researchers said. These include enabling click-to-play for plug-in-based content in browsers that offer the feature, keeping browser plug-ins up to date, disabling plug-ins that are no longer needed and using ad blocking extensions.

Join the Good Gear Guide newsletter!

Error: Please check your email address.

Tags DeviantARTFox-ITonline safetysecurityDesktop securityPhotobucketAppNexusmalwareOracle

Our Back to Business guide highlights the best products for you to boost your productivity at home, on the road, at the office, or in the classroom.

Keep up with the latest tech news, reviews and previews by subscribing to the Good Gear Guide newsletter.

Lucian Constantin

IDG News Service
Show Comments

Most Popular Reviews

Latest News Articles

Resources

PCW Evaluation Team

Azadeh Williams

HP OfficeJet Pro 8730

A smarter way to print for busy small business owners, combining speedy printing with scanning and copying, making it easier to produce high quality documents and images at a touch of a button.

Andrew Grant

HP OfficeJet Pro 8730

I've had a multifunction printer in the office going on 10 years now. It was a neat bit of kit back in the day -- print, copy, scan, fax -- when printing over WiFi felt a bit like magic. It’s seen better days though and an upgrade’s well overdue. This HP OfficeJet Pro 8730 looks like it ticks all the same boxes: print, copy, scan, and fax. (Really? Does anyone fax anything any more? I guess it's good to know the facility’s there, just in case.) Printing over WiFi is more-or- less standard these days.

Ed Dawson

HP OfficeJet Pro 8730

As a freelance writer who is always on the go, I like my technology to be both efficient and effective so I can do my job well. The HP OfficeJet Pro 8730 Inkjet Printer ticks all the boxes in terms of form factor, performance and user interface.

Michael Hargreaves

Windows 10 for Business / Dell XPS 13

I’d happily recommend this touchscreen laptop and Windows 10 as a great way to get serious work done at a desk or on the road.

Aysha Strobbe

Windows 10 / HP Spectre x360

Ultimately, I think the Windows 10 environment is excellent for me as it caters for so many different uses. The inclusion of the Xbox app is also great for when you need some downtime too!

Mark Escubio

Windows 10 / Lenovo Yoga 910

For me, the Xbox Play Anywhere is a great new feature as it allows you to play your current Xbox games with higher resolutions and better graphics without forking out extra cash for another copy. Although available titles are still scarce, but I’m sure it will grow in time.

Featured Content

Latest Jobs

Don’t have an account? Sign up here

Don't have an account? Sign up now

Forgot password?