The Malicious Advertisements
At the end of August malicious advertisements have been directing some of the visitors in several high profile websites to browser exploits that installed malware on their computers.
In the period between 19th and 22nd August the visitors of several popular websites including TMZ.com, Java.com, Photobucket.com, Deviantart.com, eBay.ie, IBTimes.com, TVgids.nl and Kapaza.be have been attached in a malware advertising campaign. The malware researchers confirm that these websites have not been compromised as they are themselves victims of malicious advertisements.
In this case the advertisement provider distributed these ads on the website infecting the users with malware. This was done through AppNexus, a company that provides regular online advertising platforms, which redirected the visitors to the Angler exploit kit to install Asprox botnet malware. According to the malware experts this tool operates on the vulnerabilities in the outdated versions of Microsoft Silverlight, Flash Player and Java and secretly installs malicious programs on the computers of the users to perform advertisement clicking fraud.
The New Aspects of Asprox
Asprox is known to the malware experts for sending spam, however today it comes in a sophisticated form and has increased its malicious functionality since it can scan websites for vulnerabilities and can steal user’s log-in credentials that have been stored on their computers.
How Does Asprox Work?
The cyber attackers know well the online advertising practice of retargeting and in this case they use it in order to make the attack difficult to be detected. As the malware experts know, the retargeting is the process during which the PC users receive tracking data like files and cookies when they visit some brand websites. Later these same users are shown advertisements of those brands on the websites they are browsing. When the PC users are retargeted later, the tracking data delivers malicious content to their computers along with the data.
The Advantages of the Attackers
- The cyber criminals here are selective and they display the rogue advertisements only to browsers that store certain metadata.
- The site owners find it difficult to detect the rogue content or to investigate the reports from the affected PC users.
- The cyber attackers have the advantage of the real-time bidding, which is used to offer ads to users based on their location, browsing history and browser type.
- Due to the selective targeting, the website owners cannot estimate the number of victims. The users who have visited the affected sites in the second half of August 2014 should scan their computers for malware.
What should the users do?
It is quite difficult for the PC users to stay protected against this specific type of malware attack; however, they can take certain steps to reduce the risk. This includes:
- enabling of the click-to-pay option for the plug-in-based content in the browsers that offer that feature
- keeping the plug-ins of the browser up to date
- disabling the plug-ins that are not need
- using extensions to block ads
The Malvertising problem is taken quite seriously by the malware analysts. They do their best to identify the complex nature of these malware advertising campaigns attacks and to remove the source through different tools.