Malvertising Campaign May Have Exposed Three Million Users Per Day

Security researchers have uncovered a major malvertising campaign on sites including Yahoo and AOL designed to drop ransomware onto victim machines, potentially earning attackers as much as $25,000 per day.

Given the popular nature of many of the sites targeted, the campaign may have exposed as many as three million people each day, according to email security firm Proofpoint.

Visitors to the infected sites were struck with a drive-by-download, infecting them with the CryptoWall 2.0 ransomware, the vendor explained in a blog post.

“Using Adobe Flash, the malvertisements silently ‘pull in’ malicious exploits from the FlashPack Exploit Kit. The exploits attack a vulnerability in the end-users’ browser and install CryptoWall 2.0 on end-users’ computers,” the post continued.

“Similar to the behavior of other ransomware, CryptoWall then encrypts the end-users’ hard drive and will not allow access until the victim pays a fee over the internet for the decryption key. Typically, the end-users face an escalating time deadline; failure to pay by the deadline results in their hard drives being permanently encrypted, thus rendered effectively useless, with all information inaccessible.”

Big name sites affected included Yahoo Finance, Fantasy and Sports; AOL; The Atlantic; The Age; Time Out US; and the Sydney Morning Herald.

At least three major ad networks were compromised: Rubicon Project, Right Media/Yahoo Advertising, and OpenX.

Proofpoint said it informed the networks and is confident that as of last weekend they have taken action.

“These ads passed through multiple parties including exchanges, optimizers, ad networks and web sites, all without detection at any step. It is clear that site owners and ad distributors need to invest in more advanced tools to detect malicious advertisements that are embedded in the ad stream,” it added.

“In particular, site owners cannot and should not assume that the ad networks are taking care of this for them, and should proactively seek tools for online brand protection.”

End users and enterprises must also ensure their anti-malware tools are up to the task of spotting these threats, and that known flaws in major software are patched.

Malvertising is one of the fastest growing threats in 2014. Back in March, Blue Coat named it the top mobile threat – responsible for 20% of all malware found on mobile devices.

The in September, researchers uncovered the massive “Kyle and Stan” malvertising network, which is believed to comprise nearly 6,500 malicious domains.

Mark James, security specialist at Eset, also recommended users keep all operating systems, web browsers and other key software like Adobe Acrobat and Flash up to date.

“Blocking pop ups and installing web filters can also stop the malicious software from being run in the first place and always make sure your running a reputable updated antivirus or internet security product,” he added.

“As for website owners, using trustworthy and established suppliers will help but often the advertising space is rented repeatedly and you may not be in direct contact with the actual advertiser.”

What’s Hot on Infosecurity Magazine?