Up to 12,500 users per day may have been affected by a campaign that compromised MadAdsMedia, a U.S.-based web advertising network.
Visitors of sites that use their advertising platform were led to Adobe Flash exploits delivered by the Nuclear Exploit Kit. Three countries account for more than half of the hits: Japan, the United States and Australia.
According to Trend Micro, the attack was first seen in April, although at relatively low traffic levels. The number of users at risk grew significantly as May started, with the peak of 12,500 daily affected users reached on May 2, including a significant number of animation and manga-themed sites.
The final payload of the infection chain was Carberp, the banking Trojan. These malware variants are known for stealing information.
“We initially thought that this was another case of malvertising, but later found evidence that said otherwise,” researchers explained in a blog. “Normal malvertising attacks involve the redirect being triggered from the advertisement payload registered by the attacker. This was not evident in the MadAdsMedia case. What we saw was an anomaly in the URL of their JavaScript library—originally intended to assign what advertisement will be displayed in the client site.”
But the URL didn’t always serve JavaScript code, and instead would sometimes redirect to the Nuclear Exploit Kit server. This indicates that the server used by the ad network to save the JavaScript library was compromised to redirect website visitors to the exploit kit.
The Flash exploits in use are targeting CVE-2015-0359, a Flash vulnerability that was patched in April of this year.
“Attacks like these highlight the importance for ad networks to keep their infrastructure secure from attacks,” Trend Micro noted. “Making sure that web servers and applications are secure will help ensure the protection of the business and their customers. End users, on the other hand, are advised to keep popular web plugins up to date. Users with the latest versions of Adobe Flash would not have been at risk.
As for MadAdsMedia, it issued the following statement: “We launched an investigation shortly after noticing suspicious activity in our network. Soon after, we were contacted by Trend Micro; the details from their research played a crucial role in our efforts to eliminate this threat. We provided Trend Micro’s information to our hosting company, GigeNET.com, and they swiftly took action. Within hours, GigeNET identified the breach and simultaneously secured the network. We thank both Trend Micro and GigeNET for their efforts in protecting our users.”