The same cyber-crooks behind the recent malvertising attack on Yahoo! are at it again – this time, targeting AdSpirit, and infecting Drudge Report, Weather Underground, NetZero and other websites with malicious ads.
Security researcher Jerome Segura of Malwarebytes Labs explained that this is the same malvertising campaign that has been raging for weeks; it’s only moved to a new ad network used by many top publishers. The malvertising is being loaded via AdSpirit.de and includes a redirection to an Azure website. Both URLs are using HTTPS encryption, making it harder to detect the malicious traffic at the network layer.
The rogue ad has now been taken down, but the damage is likely extensive given the number of monthly visitors these sites have. The drudgereport.com has 61.8 million visits per month; wunderground.com has 49.9 million; findagrave.com has 6 million, and so on.
The previous attack targeted Yahoo’s ad network and with it a potential 6.9 billion monthly visitors. Two domains were used in the redirects; and those redirects eventually led to the infamous Angler Exploit Kit.
“Malvertising is a silent killer because malicious ads do not require any type of user interaction in order to execute their payload. The mere fact of browsing to a website that has adverts (and most sites, if not all, do) is enough to start the infection chain,” Segura wrote. “The complexity of the online advertising economy makes it easy for malicious actors to abuse the system and get away with it. It is one of the reasons why we need to work very closely with different industry partners to detect suspicious patterns and react very quickly to halt rogue campaigns.”
Malvertisers are wising up and building more and more obfuscation into their approaches. Earlier in the summer, AdSpirit was also the carrier for a malvertising campaign that exposed over 10 million users to the Angler exploit kit. First discovered by Cyphort Labs, that initiative was different from the plethora of other campaigns by virtue of its using multiple SSL redirectors designed to encrypt traffic and make it harder for white hats to follow the redirection path.
“Malvertising campaigns exploit a number of systemic weaknesses within the web’s ecosystem. These campaigns target verification and validation weaknesses in the ad networks and platforms,” said Lane Thomas, security research and software development engineer of Tripwire, in an email. “Then, after successfully gaining access to these ad systems, the associated attackers take advantage of scale and lax patching. Scale is an issue here because one successful penetration of an ad system leads to huge payoff in terms of the total number of victims who can be attacked via malicious ads.”
The final problem, which is where the exploit kit aspect of this problem wins, is due to massive amounts of lax software patching.
“Exploit kits focus largely on vulnerabilities in Adobe Flash, Java and Silverlight along with vulnerabilities in the core web browsers themselves, and exploit kits thrive because so many end users don’t keep their software patched and updated,” he added. “What does all this mean? The web is in a poor state of security, and there is no single person or system to blame.”