A week ago, some visitors to high-profile websites were redirected to browser exploits that installed malware on their PCs, courtesy of the malware advertisements on those websites.
The malicious advertisements were discovered between August 19 and August 22, and users didn’t have to click these advertisements to be infected.
Researchers from Dutch security firm Fox-IT reported the attack affected visitors to Deviantart.com, Java.com, IBTimes.com, eBay.ie, TVgids.nl, Photobucket.com and Kapaza.be. The websites were not hacked; rather, the malicious ads were distributed through the online ad network AppNexus. (AppNexus removed the ads quickly, which had abused the automated-bidding placement process.)
“These websites have not been compromised themselves, but are the victim of malvertising,” the researchers noted in a blog post. “This means an advertisement provider, providing its services to a small part of a website, serves malicious advertisement aimed at infecting visitors with malware.”
When victims visited the website containing the malicious ads, the disguised links activated a drive-by-download. As a result, the browsers of the victims were redirected to a malicious webpage which was hosting the Angler browser exploit kit: a software bundle featuring exploits for several known flaws in common browser plugins, such as Microsoft Silverlight, Flash Player and Java.
Similar to most exploit kits, Angler uses several different attacks until it discovers the one that is good enough to get through the defenses. It then creates a hole to inject and launch malware (the Rerdom backdoor Trojan in this case), which creates a foothold for more malware to be potentially installed. The Rerdom is the main thing that gets injected into the victim’s PC.
Advertising networks and websites have been victims of similar attacks over the years and even lead to an investigation. This new incident suggests that the sophistication of such attacks is on the rise.
Attackers, in this particular case, took advantage of an online advertising practice called retargeting. It made it harder to detect their attack. Retargeting leaves tracking data like files and cookies inside the browser of the visitor when they visit certain brand sites, so they can be shown ads related to those brands on other websites.
“Clients were affected when they were retargeted due to having interesting tracking data,” said Fox-IT researchers. “Interestingly enough, this tracking data was used to deliver malicious content.”
By displaying and being selective about rogue ads only to browsers storing certain metadata, the attacks made it difficult for site owners to detect rouge content or investigate reports from victims, as replicating the illicit behavior would have been difficult.
Also, the attacks leveraged the real-time bidding process that is used to serve ads based on metadata of users such as browser type, geographical location and web browsing history. This particular mechanism lets advertisers to bid in real time to show ads to visitors that meet a particular criteria.
“Malvertising is a known problem within the online ecosystem and one the industry takes very seriously,” said senior of marketing for the APAC and EMEA regions at AppNexus, Graham Wylie. “In recent months we have seen increasing complexity in attacks and have taken steps to identify and remove the source of these. We provide some of the industry’s best tools for detecting and blocking questionable material and employ a team of auditors to ensure high standards are met. We are continuously learning, and make changes to our systems and processes as a result, but are unable to share any specific details as this could help those trying to bypass our safeguards.”
Given the selective targeting used by the attacks, it’s difficult to know the exact number of victims. However, users who visited the mentioned websites recently, especially during the dates mentioned by the researchers at Fox-IT, should scan their PCs for detecting malware.
The researchers said Fox-IT stated that there is no silver bullet to protect against such attacks, but there are a few methods that bring down the risk of compromise for users. Some of these methods include enabling click-to-play for plug-in-based content in browsers offering the particular feature, disabling plug-ins that you no longer use, keeping browser plug-ins up to date and using extensions that block ads.
In case of ad blockers, however, the solution may be incomplete. This is because some ad blockers ‘whitelist’ certain ad networks so their ads show, and click-to-play settings won’t affect simple ads.
It could be best to just install a plugin, such as Script Blocker for Google Chrome and NoScript for Mozilla Firefox: these extensions block all executable content. Users will be able to allow content from certain sites, which blocking ads from ad networks.