Researchers from ESET have warned that millions of internet users visiting popular news sites over the past few months may have been exposed to a malicious malvertising campaign.
The firm says that the cyber-criminals behind the campaign have been, since as least the beginning of October, distributing malicious ads promoting applications calling themselves “Browser Defence” and “Broxu” which redirect users to the Stegano exploit kit.
ESET added:
“Without requiring any user interaction, the initial script reports information about the victim’s machine to the attacker’s remote server. Based on server-side logic, the target is then served either a clean image or its almost imperceptibly modified malicious evil twin.
“Using the known Internet Explorer vulnerability CVE-2016-0162, the encoded script attempts to verify that it is not being run in a monitored environment such as a malware analyst’s machine,” and if the script does not detect any signs of monitoring, it redirects to the Stegano exploit kit’s landing page.
Upon successful exploitation, the executed shell code collects information on installed security products and performs – as paranoid as the cyber-criminals behind this attack – yet another check to verify that it is not being monitored. If results are favorable, it will attempt to download the encrypted payload from the same server again, disguised as a gif image.
Apparently, payloads detected so far include backdoors, banking trojans, spyware, file stealers and various trojan downloaders.
“This type of malicious activity shows clearly how cyber-criminals are adapting to the best means to distribute and infect as many as possible through the platforms that work," Mark James, IT security specialist at ESET, told Infosecurity. "There is a misconception that you have to visit ‘dodgy’ websites to get infected, but cyber-criminals are not stupid, why infect somewhere with a relatively small footfall when you can infect a website with infinitely more visitors thinking they are safe because they trust the name of the vendor?
“Some users still believe you actually have to click on a link or run a file to actually start the infection process, and what’s worse is in most cases the actual owner of the website is totally unaware they have a problem.”
The key to defending yourself, added James, is making sure you have a good regular updating internet security product installed along with keeping your operating system and applications patched and up-to-date.
"A lot of websites use ads to help fund the free content we want and using things like ad blockers can have an adverse effect on this revenue stream but is a means of defense that could stop this type of attack.”