Visitors of two well-known English-language news websites based in Israel could have had their computers infected with malware after cybercriminals managed to hijack the digital ads being served on the site.
Researchers at Malwarebytes noticed earlier this week that the websites of The Times of Israel and The Jerusalem Post had been serving malicious ads as part of a malvertising campaign that appears to involve several threat actors.
The malicious advertisements have been set up to redirect unsuspecting users to a page hosting the Nuclear Exploit Kit, which was recently spotted in an attack leveraging Facebook and the online magazine AskMen. Nuclear EK exploits Flash, Adobe Reader and Internet Explorer vulnerabilities in an effort to push malware onto victims’ computers.
In the attack affecting The Times of Israel and The Jerusalem Post, the cybercriminals were attempting to distribute a piece of malware detected by Malwarebytes as Trojan.Agent.BPEN. This is actually a threat of the Zemot family, which is designed to download other pieces of malware onto infected machines, including the information-stealers Zeus and Kuluoz. It’s worth noting that most of the readers of these news websites are located in the United States, according to statistics from SimilarWeb.
Malvertising campaigns are becoming more and more common and have hit a large number of high-profile websites recently. An operation analyzed recently by Cisco affected the websites of Amazon, Yahoo, WinRAR, and YouTube and targeted both Windows and Mac users.
In a blog post published on InfosecIsland on Thursday, RiskIQ CEO Elias Manousos warned that malvertising not only exposes users to fraud and personal data theft, but also damages brand equity and customer loyalty. The expert said a single malvertising campaign can affect more than 10% of the Web’s top 1,000 most visited sites.
“The malvertising problem stems from that fact that when an organization places an online advertisement it is typically placed by an ad network. Often, ad networks will resell unfilled ad spaces to other networks — basically doing anything to avoid unused real estate. Meanwhile, an ad is typically sent directly from the servers of the ad network that inherits the space, and are out of the advertising organization’s control,” Manousos said.
“This multi-level online advertising supply chain has any number of weak links that an attacker can exploit to slip malware into legitimate ads or even take out their own ads. Advertiser vetting by the ad networks is usually limited to the credit checks needed to assure payment for ad placement. There are no integrated controls, industry-enforced standards, or end-to-end accountability across the supply chain.”