The attack puts users at high risk of being infected with ransomware threat and it bypassed many of the security systems to several online advertising companies.
On Sunday, major websites such as The New York Times, BBC, MSN and Newsweek ran malicious online advertisements that attacked user’s PCs. Expert said that it was the largest seen in last two years.
The websites were not at fault. Instead, they are unintentional malvertising victim. Malvertising is a scheme where cyber criminals upload harmful ads to online companies who advertises online and later on distribute to top-tier publishers.
On Sunday, thousands of computers could have been exposed to dangerous or harmful advertisements, which directly means that some running vulnerable software must have been infected with file-encrypting ransomware or malware threats.
On Monday, Jerome Segura who is a senior security researcher with Malwarebytes said in an phone interview Tuesday that some bad ads are still appearing on many websites which also includes BBC as well.
The advertisements which are connected with servers hosting the Angler exploit kit. To deliver malware, this kit makes every possible effort to find out software vulnerability on a computer system.
A successful exploits can spread ransomware which is a computer’s file encrypting malware threat. Victim users are asked to pay ransom money, usually in bitcoin, to get decryption key so that user can restore them system back again.
On Monday, Trend Micro also wrote about the same attack. According to Segura, he delayed in publishing blog post while he contact major advertising networks such as Google’s DoubleCkick, AppNexus, Rubicon and Aol, in order to remove malicious advertisements. He published a post on Tuesday.
Several offending ads have been remove, but not all. Despite not getting acknowledgement from some online advertisers, he decided to go public.
Josh Zeitz who is a vice president of communications of AppNexus, on Tuesday, said via email that soon after when company was notified by Segura, the advertisers who placed the bad ad had been “deactivated”. Zeitz said that the bad ads had not directly placed by AppNexus, instead it comes from third party sources.
Zeitz also wrote that AppNexus has an anti-malware detection system which is called as Sherlock. It is used to screen ads and also uses filtering products from third party people.
Zeitz, says that “To safeguarding our customers, we devote considerable financial resources”. “Unfortunately, bad people also invest in developing for forms of malware”.
Officials at Rubicon, Google and AOL could not be reached for comment immediately.
Segura saids that it is quite very rare to see that at same time a malvertising campaign affects several different advertising companies.
He added, “these are the top ad network all around the world”. “For some reason, they were all affected. It was really shocking to be honest”.
On Sunday, he contacted many advertising companies, but some did not reply anything until Monday and other later.
Segura said, “I had to ask again to some of them , and I heard from them on Monday night”. “On a weekend, the response time has definitely reduces”.
Malwarebytes detected this attack with the help of their users who uses its Anti-Exploit software. If some is using software of Malwarebytes and goes to New York Times and encountered a malicious ad, the attack would be immediately blocked and the same will be reported to Malwarebytes.
According to Segura, “This is how they are able to say that is where is happened”.
The large attack on Sunday was actually followed by smaller attack on Friday by using Rig which is a different exploit kit. Segura theorized that the smaller attack which still hit some major publishers, might have been test for larger attack on Sunday. According to him, it was 10 times the size normally seen.
To stamp out, Malvertising has proven tough. To try and catch malicious one, online advertising companies uses a variety of security tools, but they are far from foolproof.
Also, the byzantine relationships between highly automated way online ads and ad-serving companies are sold and delivered which provides ample opportunity for miscreants to get malicious one circulating.
Segura said, “It is hard to imagine that despite of knowing each other properly, ad networks are doing business with each other very well”.
The path which an ad take before loading onto webpage, is often long trail of companies which have an ad-related business relationships. Speed is also a factor, since advertising slots are often sold via real-time bidding.
Example, the first request which is to be delivered to The New York Times, websites might come from Google’s DoubleClick servers, said Segura. But the actual ad may come from long chain, and Google may not “always know who is responsible for this”, Segura said.
He said, “This is a bit of a problem”.