BBC Among Sites That Ran Malicious Adverts

When you go to a website, you are often met by an onslaught of advertisements. For everything from custom-built PC’s to the latest diet trend, advertisements are everywhere. Sadly they may not be the only thing appearing on your computer with the use of malicious adverts appearing more and more often. In the recent onslaught though even the BBC was caught running malicious adverts on their site.

Major websites were hit by the “malvertising” attack which sees malicious adverts uploaded to third party advertising companies which then give these adverts out to other sites. The harmful “malverts” included your everyday malware and even file-encrypting ransomware, a type of software that is making and appearance more and more these days.

Trend Micro first reported on the malverts on Monday, only to have a similar post held off till Tuesday from MalwareBytes Labs while they contacted several advertising networks in the hope of getting the malicious adverts removed.

With large groups like the BBC, Newsweek, MSN and the New York Times all being exposed to the malicious adverts it may be a good time to check that your anti-virus software is up t o date and do a thorough scan of your system.

TMZ Falls Victim to Malvertising Campaign

Malicious online activity in the form of hacks, malware and viruses have seen an exponential increase over the past 5 years, the rise in the number of consumers online coupled with a lax understanding concerning the dangers of the many cyber threats has led to more and more victims. Malvertising is one such example of how online advertisements could be hijacked and used to spread Malware through Malicious ads.

This technique has now found a new victim after online gossip site TMZ was found to be harbouring malicious online advertisements. For those who are unfamiliar with the site, TMZ is a hugely popular website that features expose, gossip and general breaking news concerning the world of celeb, the site pulls in over 30 million visitors a month and is a major attraction for online revenue, below is a summary of the attack.

It has been observed that the attack has the same ad chain pattern; this is from “ContextWeb (PulsePoint) to Smarty Ads and eventually various rogue advertisers”. The latter is leveraging CloudFlare’s infrastructure with the aim of hiding the servers location as well as encrypting the advertisement delivery to consumers via the website.

 

 

The malicious ad is pretty cheap to deliver when you consider it costs “$0.19 (£0.12) for one thousand user impressions (CPM)” 

These attacks are designed to be as cheap as possible with the aim of targeting high impact traffic targets, on a side note, many websites try to discourage users from using popular ad blockers when accessing their sites, perhaps malicious advertisements leading to exploit kits is not the best deterrent.

Images courtesy of malwarebytes and nickcannon

Malicious Ads Hit Amazon, YouTube and Yahoo According to Cisco

In a new blog post, Cisco is describing the Malvertising Network dubbed Kyle and Stan. The network is targeting both Windows and Mac devices alike, with the old trick of sneaking malware into advertising. There are only a few big advertising players on the market, so if you manage to sneak a malicious ad past the security controls, it will reach thousands, maybe even millions of potential victims within minutes.

Talos Security Research has uncovered a major network that is doing exactly this and due to the naming scheme of hundreds of their sub-domains e.g. “stan.mxp2099.com” and “kyle.mxp2038.com” , they nicknamed the malvertising group Kyle and Stan. There are a lot of variations in the attack, but it always follows the same scheme. When served with the malicious advertisement you get redirected to a different website based upon your system, Windows or Mac, where it starts to download a malicious file.

Once the victim is redirected to the final URL, the website automatically starts a download of a unique piece of malware for every user. The file is a bundle of legitimate software, like a media-player, and a unique-to-every-user configuration of malware compiled into the downloaded file. The attackers are purely relying on social engineering techniques, in order to get the user to install the software package.

No drive-by exploits are being used thus far, but the impressive thing is that we are seeing this technique not only work for Windows, but for Mac operating systems alike.

The first hits are going back to the beginning of may with June and July being the ones with the biggest amount of traffic on the 74 sites the malvertising was detected on. The network consists of over 700 domains itself, making it hard for blacklists and other detection tools to pick up on it.

The list below are confirmed domains to have served the malicious ads at one point or another during the monitored time. The list contains popular sites such as Amazon, Yahoo, Winrar and YouTube.

  • 6nbzz.watch-now.awardcrowd.eu
  • 7ruzz.globalrewards.samplestation.eu
  • ads.yahoo.com
  • amazon.com
  • br5zz.watch-now.awardcrowd.eu
  • bvp.burstmedia.com
  • cdn.sharedaddomain.com
  • clkmon.com
  • cr2.gogorithm.com
  • grooveshark.audio-updates.com
  • gslbeacon.lijit.com
  • javaapx.com
  • javaupdating.com
  • johzz.watchnow.rewardbasket.eu
  • jvupdater.com
  • n11.adshostnet.com
  • serve.adsxgm.com
  • w0tzz.watchnow.rewardbasket.eu
  • www.alldldsoft.com
  • www.allsoftdll.com
  • www.allsoftpc.com
  • www.carefulclick.com
  • www.ddlsoftdirect.com
  • www.directdls.com
  • www.directsoftddl.com
  • www.dllfinalsoft.com
  • www.dllsoftultimate.com
  • www.dllultimatesoft.com
  • www.dlsofteclipse.com
  • www.downti.com
  • www.dwnllistsoft.com
  • www.dwnlsoft.com
  • www.dwnlultimatesoft.com
  • www.filenaut.com
  • www.filenetix.com
  • www.files101.com
  • www.filesbunker.com
  • www.filesonar.com
  • www.freeunlimitedvideos.com
  • www.getmplayer.com
  • www.getsoftdll.com
  • www.installrecommended.com
  • www.latestplayerplugin.com
  • www.lpdownclsva007.com
  • www.lpdownclsva011.com
  • www.mediaplayerinstaller.com
  • www.mediaplayertotal.com
  • www.moresoftdll.com
  • www.mysoftdll.com
  • www.newboxdl.com
  • www.newplayerupdate.com
  • www.pcsoftultimate.com
  • www.pitisoft.com
  • www.popdls.com
  • www.proplayersetup.com
  • www.recommendedfiles1.com
  • www.recommendedupdate.com
  • www.recommendedupdate14.com
  • www.softmediaplayer.com
  • www.softnewdll.com
  • www.softplayerdownload.com
  • www.softultimatedwnl.com
  • www.thelatestsoft.com
  • www.thesoftdll.com
  • www.totalsoftdll.com
  • www.totalsoftpc.com
  • www.ultimateplayersetup.com
  • www.ultimatevideoplayer.com
  • www.updatedrelease.com
  • www.updateneeded.com
  • www.winrar.com
  • www1.mediaplayernew.com
  • www1.updateplugins.com
  • youtube.com

Thank you Cisco for providing us with this information.

Images courtesy of Cisco and Southpark.