For two days in mid-March, visitors to major news and information sites—such as the New York Times, Newsweek, The Hill and the Weather Network—may have been redirected to Web servers that attempted to infect visitors’ systems with a variant of the Angler exploit kit and, ultimately, ransomware.
So far, the impact of the attack is unknown, but a single antivirus vendor, Trend Micro, recorded 41,000 infection attempts among its users between March 12 and 14. The attack hit visitors to AOL, the BBC, NFL, The Hill, Newsweek, the New York Times, MSN, Realtor.com, The Weather Network and the Xfinity portal, according to Malwarebytes, an endpoint security firm.
Another attack used ads on the site of a major British newspaper, The Daily Mail, to attempt to infect visitors the same week, but was likely part of a different campaign, the firm stated.
Overall, the attacks demonstrate that attackers can readily exploit weaknesses in the complex ad market and take advantage of the trust in publisher brands that have little to do with the trustworthiness of the ad content, Craig Young, security researcher with the vulnerabilities exposures research team (VERT) at Tripwire, told eWEEK.
“It is exploiting the fact that people have trust for popular Websites,” he said. “If you go to the Website of a major newspaper, you are going to expect that it will have sanitized content. You would expect that an attacker would have to breach the security of the publisher to put something on the site.”
However, malvertising makes an end-run around that assumed security, he said.
“Shady” ad networks
No wonder, then, that malvertising is—at least anecdotally—on the rise. Such attacks are happening more often—albeit, not always on such well-known sites—because attackers are becoming more sophisticated and more at ease with the complexities of the ad market, Jerome Segura, senior security researcher with Malwarebytes, told eWEEK.
“There are daily attacks and they typically happen via ad networks that are a bit shady, and by ‘shady,’ I mean companies that have very lax security practices,” Segura said.
The advertising ecosystem is very complex, and that complexity allows attackers to thrive in the “shady” parts of the ecosystem—those areas where top-line publishers, advertisers and ad networks may not have visibility, he said.
Norman Guadagno, chief evangelist for data-backup and security firm Carbonite and a former ad agency representative, also argued that the complexity makes malvertising a tough problem to solve. Every day, advertising networks deliver some 314 billion ad impressions to Website visitors, according to Guadagno, citing numbers from the Goodway Group, an online marketer.
“It is a problem that is rooted fundamentally in the complexity of the ad ecosystem,” he told eWEEK. “Between all the ad networks, all the sites, all the ads being served, all the code being used to make ads—it is a big, insanely complex ecosystem that has vulnerabilities.”
While the complexity of the advertising ecosystem helps malvertising hide, attackers are also becoming more knowledgeable about how to take advantage of that complexity.
In a recent study of one malvertising campaign, Malwarebytes found that attackers used targeted ads to focus on certain segments of the consumer marketplace and have started adding code to their ad banners that fingerprint the targeted computer, determining its operating system, browser and what security software it may be running, according to the firm.
Malvertising Thrives in ‘Shady Parts’ of Highly-Automated Ad Networks
This tactic also lets the attacker look for the telltale signs that a visitor is not a human, but an analyst’s machine testing the advertisement for malicious activity, Malwarebyte’s Segura said.
“Attackers are highly motivated and they are looking for new vectors all the time,” he said. “Ad banners not only redirect to Websites, but they fingerprint the Website. Rather than direct people to the exploit kit, they wanted to figure out the potential victims—and hide from researchers—for longer periods of time.”
The study looked at more than 100 fake advertising domains that had fake profiles and used malicious GIF advertisements to target only residential IP addresses. More than 40 percent of infections affected computers in the United States at a cost of 19 cents per 1,000 impressions.
“The fingerprinting techniques—coupled with geolocation and IP checks—are effective but have been (historically) employed relatively late in the infection chain,” the report stated. “It only made sense to add them at the traffic redirection phase to ensure only ‘qualified’ users were being redirected to exploit kits.”
The complexity of advertising networks and the ability of attackers to easily hide in a way that is not apparent to users raises questions about the best way to fight malvertising.
Advertising networks and advertisers need to focus on being aware of who is supplying their content and forming a chain of trust from the publisher all the way down to the advertiser, said experts.
Unfortunately, with real-time bidding and programmatic advertising making the ad-buying process faster, there is less time for anyone in the chain to make a decision on the content of an ad, said Christopher Budd, global threat communications manager with Trend Micro.
“Advertising is a very fast market, and one thing we know in security is that speed kills … whether we are talking about shortened development time or trying to push things out and not spending enough time on a security architecture review,” he said. “Doing it really well requires a more methodical approach.”
The speed factor was on display in the latest attack. The majority of the traffic sent to potential victims came during a 12-hour period late in the day on March 13—a Sunday, according to data from Trend Micro.
Malvertising underscores the security problems in the advertising ecosystem posed by the inconsistent vetting of third-party content suppliers. While users are the ultimate victims, there is very little they can do to force publishers and advertising networks to insure that their content is non-malicious.
However, users can harden their systems and treat with suspicion any odd Website behavior, Trend Micro’s Budd said. Endpoint security software—whether an antimalware program, a network-based service such as OpenDNS, or an application firewall such as Little Snitch—can help catch malvertising before it infects a system.
“At the end of the day, the more people make themselves non-viable targets, the more that this particular attack vector will evaporate,” he said. “The criminals are not going to go away, unfortunately. If we make malvertising not worth the time, however, they will move onto something else.”