Malvertising Continues to Be a Popular Attack Vector for Hackers, New Threat Discovered

A new malvertising campaign was recently discovered that has been running for at least three weeks without being detected although security experts concede that the threat could have been operating undetected for much longer than that. Considering the large number of malvertising schemes that have been highlighted on this blog in recent months, it is becoming increasingly clear that businesses need to be more vigilant than ever before when it comes to selecting the companies they use to serve online advertisements to visitors. Several well-known online presences, including the Drudge Report, Answers.com, and eBay’s UK branch, were all recently affected by tainted online ad networks that have been serving ads infected with the Angler exploit kit. The Angler exploit kit is currently one of the most elusive and dangerous online exploit kits in the wild and is capable of finding known vulnerabilities in common Web browser plugins in an attempt to infect PCs with an assortment of malicious programs depending on the needs of the cybercriminals behind the campaign.

This latest malvertising campaign was discovered by security researchers at Malwarebytes who have classified this campaign as ”particularly successful” because the exploit kit is well-hidden and designed to look like legitimate digital advertisements. Unfortunately, once a PC user clicks on one of these infected ads, the experience becomes anything but legitimate. The cybercriminals behind this campaign, who have yet to be identified, apparently went to great lengths to deceive security researchers investigating the threat. This includes linking the malicious ads to sites that were once registered with the Better Business Bureau and at the time, submitted advertisements that were completely clean and malware-free. The real problem lies with the advertising networks that are ultimately responsible for serving up the malicious ads in the first place. In this case, popular ad networks including Doubleclick and AppNexus were involved in the dissemination of illegitimate advertisements that have the Angler exploit kit embedded within them.

Unfortunately, these ad networks are more interested in making money than properly vetting the ads they promote which means that hackers are relying on these networks more and more to deploy malware campaigns that can have a devastating impact on the safety of the Internet.

The other problem is that many of these ad networks allow businesses to serve that ads from their own servers using encrypted HTTPS connections. This means that hackers can create a fake business (or as was evident in this case, take over old existing businesses that appear to be legitimate) and serve malicious content to the ad network which is subsequently displayed on legitimate websites complete with malware. According to researchers at Malwarebytes, many of the links embedded within these malicious ads are actually redirected multiple times before ultimately landing on malicious websites that look for known vulnerabilities within Web browsers.

malwertising through popular websites

This shady tactic could have been easily detected by the ad networks responsible for distributing the malware had the ad networks only done some quick testing of the links before allowing the advertisements to go live. Like so many other malvertising campaigns before it, this version of malware is used primarily to target Web surfers in the United States and United Kingdom that are operating systems with unpatched versions of popular Web browser plugins including Adobe Flash Player, Java, and Microsoft Silverlight. While ad networks have become increasingly aware of the risk of tainted ads, the cybercriminals behind this attack took additional steps to avoid detection. As previously mentioned, using websites that had previously been registered with these ad networks (including many that were at one time registered with the BBB) made the ads seem legitimate at a quick glance and probably allowed these malicious ads to fly under the radar of whatever fraud detection systems these ad networks have in place to avoid the very threat that has allowed the Angler exploit kit to be covertly distributed through online advertisements for the past few weeks, if not months.

When a user clicks on one of these ads, they are typically redirected to a malicious website (although this website may seem 100% legitimate). While browsing the malicious site, the Angler exploit kit is silently working in the background as it searches for known vulnerabilities in the PC.

Once a vulnerability is found, the appropriate exploit is run and any number of malware payloads can be dropped onto the target PC without the knowledge or consent of the PC owner. Common forms of malware that are installed by the Angler exploit kit include multiple forms of ransomware, keylogging software, rogue antivirus, and even dangerous banking Trojans such as Zeus and Citadel. In some cases, the infected PC simply becomes part of a clandestine botnet. In this case, the PC displays no signs of infection but can be activated remotely by the hackers controlling the botnet at any time if the need for additional computing power is needed. Often, these clandestine botnets are used in massive spam campaigns or as a way to DDoS popular Web services by combining the computing power and bandwidth of thousands, if not millions, of infected machines.

The best way to protect yourself from these malvertising threats is to ensure your PC is regularly updated. This includes both the Windows OS and any third party applications.

Also, make sure a valid antivirus software solution is installed and that all virus definitions are up-to-date as this can often prevent the installation of malware when visiting a malicious site. Finally, disable all Web browser plugins that are not actually needed for daily PC tasks. Specifically, Adobe Flash, Java, and Microsoft Silverlight are the primary targets of the Angler exploit kit and most PC users will find that these plugins are not needed for normal Web surfer. If these plugins are needed occasionally, it is recommended that a separate browser be used just for tasks that require the use of one or more of these plugins. For example, if your preferred browser is Google Chrome, disable all plugins in Chrome. Install Mozilla Firefox with these plugins and only use Firefox when one of these plugins is required for the content you wish to view. Also, make sure these plugins are patched and updated regularly to remove most of the vulnerabilities targeted by the Angler exploit kit and other malicious payload delivery systems.

▼ Show Discussion

About the author:

Karolis Liucveikis

Karolis Liucveikis - experienced software engineer, passionate about behavioral analysis of malicious apps.

Author and general operator of PCrisk's "Removal Guides" section. Co-researcher working alongside Tomas to discover the latest threats and global trends in the cyber security world. Karolis has experience of over five years working in this branch. He attended KTU University and graduated with a degree in Software Development in 2017. Extremely passionate about technical aspects and behavior of various malicious applications. Contact Karolis Liucveikis.

PCrisk security portal is brought by a company RCS LT. Joined forces of security researchers help educate computer users about the latest online security threats. More information about the company RCS LT.

Our malware removal guides are free. However, if you want to support us you can send us a donation.

About PCrisk

PCrisk logo

PCrisk is a cyber security portal, informing Internet users about the latest digital threats. Our content is provided by security experts and professional malware researchers. Read more about us.

Malware activity

Global malware activity level today:

Medium threat activity

Increased attack rate of infections detected within the last 24 hours.

Virus and malware removal

This page provides information on how to avoid infections by malware or viruses and is useful if your system suffers from common spyware and malware attacks.

Learn about malware removal