A report by Trustwave has exposed a new malvertising campaign that has succeeded in putting ads that redirect to the Angler Exploit Kit on to “very popular websites” around the world, including MSN, NY Times, BBC and NFL.com.
The rise of malware hijacking ads has become a growing problem and affects anyone doing affiliate marketing. It was also the root cause of the lengthy court case and judicial review of PhonepayPlus that still has repercussions for telemedia to this day.
The Angler exploit kit continues to innovate and come up with new ways of infecting victims, this time acquiring an expired domain of a small advertising company that provides it with high quality traffic from popular websites. Once the victim has been successfully exploited they are hit with a double punch of both the Bedep Trojan and the TeslaCrypt ransomware.
Fraser Kyne, Principal Systems Engineer at Bromium has this to say: “Malvertising is highly effective because cyber criminals can target their attacks to specific demographics, and deliver them with tremendous volume. The online advertising model is such that ad networks simply cannot verify the validity of each and every advertisement it serves, which ultimately passes the cost of security onto security teams. Most of these adverts are flash, basically enabling complicated things to be done within the environment of the webpage and really rely on the very fragile security of the flash, the flash engine and the browse. With this level and amount of code, and the complexity of it, it is very challenging to secure. Ransomware is a highly pernicious attack; the initial compromise may occur through any number of exploits, but the end result is the encryption of all files on a system. These attacks demand payment for the key to unencrypt these locked files. Depending on the value of the encrypted data, organisations may feel compelled to pay the ransom, but making a payment only encourages these attacks to continue.
In order to prevent malvertisements, ransomware and other endpoint attacks, organisations should invest in strong endpoint protection. Most traditional endpoint protection solutions are failing because they rely on detection, which allow many attacks to succeed. Instead, organisations should investigate proactive protection, in the form of prevention, such as endpoint threat isolation or virtualization based security. This way even if the ad does turn out to be malicious it can compromise the web browser and the environment but because it is running in a micro-vm it won’t have any impact on any other websites visited, your documents or your operating system. Additionally, ad-blocking browser extensions can be a highly effective way of mitigating malvertising attacks. Ransomware is much more difficult to mitigate, but frequent back-ups of valuable data can make remediation much easier.”