An advanced malvertising attack is employing malicious web advertisements on the homepage of T-Online, Germany's largest broadband provider.
According to Invincea, for much of the past week, visitors to T-Online's website were hit with ads dropping a sophisticated rootkit and banking Trojan and click-fraud malware in intricate attacks designed to steal financial information, gain persistent footholds on victim PCs and hijack them for additional fraudulent activity.
The cyber-criminals utilizing T-Online's site in their attack configured their malicious ads to employ just-in-time (JIT) malware assembly on victim machines, and incorporated Windows utility-based scripting in order to evade traditional endpoint and network defenses, Invincea said. “Only endpoint devices running secure virtual container and behavioral detection defenses are able to reliably defeat these types of attacks on end users,” it said.
It is likely that thousands of T-Online users have been impacted by the malvertising campaign; the ISP's site is ranked the tenth most popular website in Germany, and 296th worldwide according to Alexa, making it the type of high-traffic domain coveted by malvertising actors.
Invincea said that the Trojans are related to Tinba, a.k.a. the "Tiny Banking" trojan and rootkit family, which persists on the host and captures online banking credentials. In addition to banking Trojans, Bedep click-fraud bots were also delivered, which would turn an endpoint into a zombie host that would secretly click advertisements in an invisible browser, in order to generate fraudulent advertising revenue.
“Online ads are auctioned and sold via Real-Time Ad Bidding in impression packs of 1,000 page views,” the firm said. “Invincea detected and stopped five attacks targeting our customers' endpoints over a five-day period, representing a possible pool of 5,000 compromised systems. However, it can be presumed there were many more attacks that affected endpoints not protected by Invincea, which could dramatically increase the number of victims.”
T-Online was likely not aware that its website was being abused by malvertisers via third-party ad networks. Any visitors to the popular site from October 16 through October 20, 2015 are advised to check their systems for possible compromise.