Some visitors to several high-profile websites last week were redirected to browser exploits that installed malware on their computers because of malicious advertisements on those sites.
The attack affected visitors to big ticket websites like Java.com, Deviantart.com, TMZ.com, Photobucket.com, IBTimes.com, eBay.ie, Kapaza.be and TVgids.nl between Aug. 19 and Aug. 22, according to researchers from Dutch security firm Fox-IT.

These websites have not been compromised themselves, but are the victim of malvertising,” the researchers said Wednesday in a blog post. “This means an advertisement provider, providing its services to a small part of a website, serves malicious advertisement aimed at infecting visitors with malware.

Angler is among a menu of exploit kits available on underground forums and used in campaigns to own websites and redirect victims off to sites hosting banking malware and other types of malicious code. AppNexus, in May, was serving malicious ads targeting Microsoft’s Silverlight platform. Streaming film and television service Netflix runs on Silverlight, and because of its popularity, hackers have been loading malware kits such as Angler with Silverlight exploits. 

In the current campaign, the kit checks whether the victim’s browser supports a vulnerable version of Java or Flash, in addition to Silverlight, and then embeds and exploit that initiates a download of Asprox, Fox-IT said, which added that it has contacted AppNexus informing them of the issue.

Asprox is a spam botnet that recently has been modified for click-fraud; armed with this modification, it is used by the cyber criminals on spreading the malware on several fronts, including email attachments in addition to exploit kits.
Asprox has gone through many changes and modifications which includes spam modules, website scanning modules and even credential stealing modules,” Fox-IT said. “This history and current events show Asprox is still actively being developed and used.
Once a visitor lands on a site hosting the malicious ad, their browser is redirected in the background to ads[.]femmotion[.]com, which then redirects to the exploit kit on a couple of different domains, the gloriousdead[.]com and taggingapp[.]com.
All the exploit kit hosts were observed using port 37702. Running exploit kits on high ports at best prevents certain network tools from logging the HTTP connections, as these are typically configured to monitor only HTTP ports,” Fox-IT said. “It does mean this exploit kit is blocked on a lot of corporate networks as they do not allow for browsing outside the normal HTTP ports, port 80 (or proxy ports) and 443 for SSL.
Fox-IT points out that the hosting websites likely have no idea they were serving malicious ads. Ad networks rely on a process known as retargeting where ad and content providers leave tracking data behind so that subsequent advertisers don’t leave the same ad content.

By being selective and displaying the rogue ads only to browsers that stored certain metadata, the attackers likely made it harder for site owners to detect the rogue content or to investigate reports from potentially affected users, as replicating the malicious behavior would have proven difficult.

The attackers also took advantage of the real-time bidding process that’s used to serve ads based on user metadata like geographical location, browser type and Web browsing history. This mechanism allows advertisers to bid in real time to display their ads to visitors that meet certain criteria.

In the case of this malvertising campaign the malicious advertisers were the highest bidders,” the Fox-IT researchers said in their blog post.


Photobucket, DeviantART and Oracle did not immediately respond to requests for comment about the malvertising attack that, according to Fox-IT, affected their websites.

Given the selective targeting used in the attack it’s hard to know the number of victims. However, users who visited the affected sites recently, especially during the time frame specified by Fox-IT, should scan their computers for malware.

There is no silver bullet to protect against this type of attack, but there are some methods to reduce the risk of compromise for users, the Fox-IT researchers said. These include enabling click-to-play for plug-in-based content in browsers that offer the feature, keeping browser plug-ins up to date, disabling plug-ins that are no longer needed and using ad blocking extensions.

LEAVE A REPLY

Please enter your comment!
Please enter your name here