Tumblr: Set to Be Next Malvertising Target?

Written by

As online users rely more and more heavily on social media to stay up-to-date on current events and to share tips, links and recommendations, hackers have responded in kind with a surge in malvertising. It would appear that Tumblr, the mini-blogging site, is now poised for the next epidemic.

At issue is the fact that when followers share a Tumblr link, the embedded ads come with it. And that makes it very attractive to those that specialize in serving up advertisements that look legitimate but also contain malicious code in an effort to infect systems with malware.

“Twitter and Facebook are the first go-to sites for most when it comes to real-time news updates. For some, Tumblr,” explained Jovi Umawing, a Malwarebytes intelligence analyst, in a blog. “We found the above site posting what appears as news clips but not on a daily basis, as indicated in the URL, unfortunately. According to Google Translate, the site uses both Swahili and Urdu. This site serves ads on its default page and on individual posts. So every time someone shares one, the ads are shared with it.”

Umawing noted that since online advertisement is a major source of revenue for the entire ecosystem, malvertising has been consistently on the rise—this is especially true for mobile users. And the issue is how criminals use the ad networks themselves.

Malwarebytes researcher Adam Kujawa has explained that cyber-criminals use malvertisements to try to spread their malware to a greater audience of users by submitting them to online advertisement networks that will show the malicious ad on numerous trusted websites. 

“The ad networks are usually not aware of the cyber criminal’s intent and approve non-malicious ads submitted by the criminals initially,” he said. “Once the ad is approved, however, the cyber-criminals switch out the legitimate ad for the malicious one, right under the noses of the ad networks.”

The networks fail to check modifications made to the advertisements and therefore allow the Malvertisments to be shown on their customers’ webpages. The ad networks also quickly cycle through different advertisements with each view of the customer webpage. “The dynamic scrolling of ads makes it difficult not only to flag the existence of a malvertisement circulating on a network but also identifying which advertisement is the culprit,” he added.

In the Tumblr case, one of the networks has already been used for this purpose in the past.

“For this particular Tumblr page, it uses the ad network Yllix Media,” explained Umawing. “Google Safe Browsing profiled its official website. Other third-party sites either blacklist the domain or flag it as untrustworthy due to its history of leading users to infected sites.”

So far, the ads on the site are benign, but that may not be the case for very long.

“Dear reader, we encourage you to use ad blockers, such as AdBlock Plus (ABP) or NoScript (for Mozilla-based browsers only), if you don’t want ads to appear on sites you visit,” she said. “I personally use Ghostery. If you’re not using one, please be wary of ads you click.”

What’s hot on Infosecurity Magazine?