A large malvertising campaign hitting the Netherlands is affecting most of the popular Dutch websites, with a total 288 sites being affected.
Malvertising occurs when cyber-criminals create ads which are perceived as legitimate but actually spread malware by hiding a small piece of code deep in the script. Thus, when a surfer clicks on it, the victim’s computer is connected to criminal servers rather than to the legitimate advertiser that it purports to be, and the malware is downloaded—usually with the victim being none the wiser.
Researchers at the Fox-IT Security Operations Center (SOC) said that this particular campaign is occurring through an advertisement platform that loads external scripts before redirecting traffic to the Angler Exploit Kit. From there, TeslaCrypt, Cryptowall and other baddies can be disseminated.
The impact could be widespread: Web analysis firm SimilarWeb estimates that Nu.nl alone had more than 50 million visitors in March. Other affected sites include eBay-style service Marktplaats.nl and well-known news and culture sites, Fox-IT said.
“We’ve been in contact with the affected advertisement provider who responded quickly to the incident and has filtered the listed IOCs in their advertisement platform,” the security researchers said in an analysis. “They will be tracking down the affected content provider as this issue has not been fully resolved, it has simply been filtered for now.”
Malvertising is an increasingly popular attack vector, since it’s relatively easy to execute. Recent research from RiskIQ revealed that malvertising jumped up over 300 percent year on year between 2014 and 2015, following a string of exploitations of major publishing sites such as Forbes.com, Huffington Post and The Daily Mail. The most common lure used in malvertisements to date has been fake Flash updates.
Last month, several high-profile media sites, including the New York Times, the BBC, MSN and AOL, fell victim to a rash of malicious ads. According to Malwarebytes, other infected sites in what is almost certainly a coordinated attack include the Comcast outpost My.Xfinity, NFL.com, Realtor, TheWeatherNetwork, Newsweek and thehill.
“Clearly cyber-criminals are targeting high-traffic sites to try to encourage a larger number of clicks, and consumers are probably more likely to trust ads which are displayed on well-known, trusted websites,” said Malcolm Murphy, systems engineering manager, Infoblox, via email. “Meanwhile, the malware itself continues to grow in sophistication, often exploiting an organization’s domain name system, or DNS, as a pathway to connect to a malicious destination or botnet.”
Photo © Rawpixel.com