Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Malware & Threats

Major Malvertising Operation Went Undetected for Three Weeks

A malvertising campaign affecting the websites of several major companies went undetected for almost three weeks, according to antivirus firm Malwarebytes.

A malvertising campaign affecting the websites of several major companies went undetected for almost three weeks, according to antivirus firm Malwarebytes.

Malvertising operations have become increasingly common because they allow cybercriminals to push malware onto victims’ computers without having to trick them into downloading email attachments or clicking on links.

The latest attack observed by Malwarebytes managed to stay under the radar for almost three weeks because the attackers used some clever techniques to avoid detection.

First of all, they registered on various ad platforms using companies that appeared legitimate — their websites had been created years ago, and some of them were even listed by the Better Business Bureau. The attackers managed to trick many advertising networks, including ones that had ties to major industry players such as DoubleClick, AppNexus, engage:BDR, and ExoClick.

As a result, the malicious advertisements reached the visitors of many high-traffic websites, including eBay, Drudge Report, Answers.com, eHow Espanol, TalkTalk, News Now, and Manta.

Once they tricked ad platforms into thinking that they were representing legitimate companies, the cybercriminals used real-time bidding to push their ads. One of the factors that made this campaign difficult to spot was the fact that the advertisements themselves were not malicious, Malwarebytes explained.

The attackers had been able to redirect victims to their malware-serving websites by loading the ads directly from a rogue ad server. Users were taken via URL shorteners or custom APIs to Angler exploit kit landing pages set up to push ransomware or ad fraud malware by exploiting vulnerabilities in unpatched software.

According to Malwarebytes, the highest number of users who accessed the exploit kit landing pages were located in the U.S. (46%) and the U.K. (36%). The security firm alerted advertisers and they took steps to disrupt the campaign.

Advertisement. Scroll to continue reading.

“While malvertising has made headlines during the past few months, the attacks that are documented publicly are only the tip of the iceberg. There are some campaigns that are so advanced that no one will ever see or hear about them, which is exactly what threat actors are hoping for,” Jérôme Segura, senior security researcher at Malwarebytes, wrote in a blog post.

“This particular case is a good illustration of why screening advertisers is so important, especially when they are allowed to host and serve the ad content themselves. The ad could be clean or booby trapped, but the rogue actors are in full control of the delivery platform and can instruct it to perform nefarious actions that will easily bypass most security checks,” the expert added.

Written By

Eduard Kovacs (@EduardKovacs) is a managing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.

Click to comment

Trending

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Hear from experts as they explore the latest trends, challenges and innovations in Attack Surface Management.

Register

Event: ICS Cybersecurity Conference

The leading industrial cybersecurity conference for Operations, Control Systems and IT/OT Security professionals to connect on SCADA, DCS PLC and field controller cybersecurity.

Register

People on the Move

Barbara Larson has joined SentinelOne as Chief Financial Officer.

Amy Howland has been named Partner and CISO at Guidehouse.

Exabeam has appointed Kish Dill as Chief Customer Success Officer.

More People On The Move

Expert Insights