Security Experts:

Forbes Hit by Malvertising Campaign: FireEye

Forbes.com visitors might have had their computers infected with malware earlier this month as a result of a malvertising campaign launched through a third-party advertising service, FireEye reported on Tuesday.

According to the security firm, users who accessed certain articles on Forbes.com between September 8 and September 15 might have been taken to a landing page for the Neutrino and Angler exploit kits.

These landing pages were set up to exploit vulnerabilities in popular software, such as Flash Player and Internet Explorer, in order to push malware onto victims’ devices.

The attackers abused the services of an advertising network and relied on real-time bidding to ensure that their malicious ads would be displayed. Forbes took steps to address the issue after being notified by FireEye, but Forbes.com visitors had been exposed to malicious advertisements for an entire week.

The fact that both Angler and Neutrino were used in the same attack is not unheard of. The SANS Institute’s Internet Storm Center reported last month that cybercriminals had temporarily switched from using Angler to Neutrino.

Angler is currently considered the best exploit kit since its developers are highly skilled when it comes to adding support for recently patched and even zero-day vulnerabilities. However, cybercriminals seem to be experimenting with other exploit kits as well.

“Malvertising continues to be an attack vector of choice for criminals making use of exploit kits. By abusing ad platforms – particularly ad platforms that enable Real Time Bidding – attackers can selectively target where the malicious content gets displayed,” FireEye said. “When these ads are served by mainstream websites, the potential for mass infection increases significantly, leaving users and enterprises at risk.”

This wasn’t the first time Forbes was hit by a malvertising attack. The business magazine’s website was also targeted by sophisticated threat actors who abused Forbes.com in a cyber espionage campaign aimed at U.S. defense contractors, financial services firms and Chinese dissident groups.

Last week, Malwarebytes reported spotting a major malvertising campaign that went almost undetected for three weeks. The attackers had tricked major advertising networks into accepting their ads by posing as legitimate companies. The attack affected high-traffic websites such as eBay, Drudge Report, Answers.com, eHow Espanol, TalkTalk, News Now, and Manta.

Malwarebytes revealed on Tuesday that the same attackers had also managed to push their malicious ads on Realtor.com, a real estate website with 28 million monthly visits.

“Rogue advertisers are putting a lot of efforts into making ad banners that look legitimate and actually promote real products or services,” Malwarebytes said. “We should also note that the use of SSL to encrypt web traffic is getting more and more common in the fraudulent ad business and that only makes tracking bad actors more difficult.”

view counter
Eduard Kovacs (@EduardKovacs) is a contributing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.