Tech

Angler exploit kit targets up to 156 million UK Daily Mail readers in malvertising spree

The infamous Angler exploit kit has been striking up to 156 million Daily Mail readers a month.

Written by Charlie Osborne, Contributing Writer Oct. 13, 2015 at 10:00 a.m. PT

The Angler exploit kit has compromised the Daily Mail's online domain, potentially exposing up to 156 million readers a month to malicious advertising.

Malvertising is a persistent problem for online domains who rely on advertising revenue to stay afloat. In order to increase the click-through rates of ads -- increasing revenue for domain owners -- third-party networks often tailor advertising you see based on data such as search history or topics of interest.

These advertising networks are commonly used by popular websites which reach millions of users a month, making them a potentially lucrative attack vector for cybercriminals looking to compromise your systems.

Known as malvertising, attackers will pay for adverts to be displayed on web domains which link to malicious domains. If a victim clicks through, they are potentially exposing themselves to malware payloads, PC compromise and may also be enticed to submit their sensitive data if they believe themselves to be on a legitimate website.

While controls are in place to filter these ads and stop them from becoming part of an advertising ecosystem, unfortunately, some will inevitably slip through the net.

Featured

On Tuesday, cybersecurity firm Malwarebytes disclosed in a blog post that the "sophisticated" attack, previously documented as targeting eBay and Yahoo, has now turned its attention to the Daily Mail, a popular UK-based news publication which accounts for millions of monthly visitors.

As with many other online publications, advertisers bid to win prominent display panels on a website page. The Malwarebytes security team discovered that a group of cyberattackers had won one of these auctions, sending an advert to be displayed close to the Daily Mail toolbar. If accessed, this advert then users were sent to a fake advertising server -- supported by Microsoft's Azure platform -- which led to the Angler exploit kit.

The malware then fired known Internet Explorer and Adobe Flash Player exploits to the victim's system.

If the victim's PC was not fully patched and up-to-date, vulnerabilities in IE and Adobe Flash player allowed the exploit kit to infect the system, which then received a nasty payload of ransomware known as CryptoWall. All it takes is for the domain to be accessed for infection to begin.

Unfortunately for users, once this ransomware has infiltrated a system, files are encrypted and a 'ransom' payment in Bitcoin is demanded if victims wish to unlock their systems.

Malvertising remains one of the most common attack vectors for the Angler exploit kit. As attacks keep abusing advertising networks, trying to screen and detect fraudulent or dangerous adverts which link to exploit kits such as Angler or Blackhole can end up as a game of whack-a-mole.

You are probably not going to be able to prevent every malicious advert from entering these networks, but when a malicious advert compromises a well-known or popular website, it is simply a users number game which ensures some viewers will become victims although they have visited a trusted domain.

"Malvertising is a very dangerous and yet often misunderstood threat," Jerome Segura, Senior security researcher at Malwarebytes says. "There is no such thing as a safe website anymore and it is everyone's responsibility to ensure their devices are fully patched and well protected."

After contacting the Daily Mail and related advertising networks, the malicious adverts were removed on 12 October. This does not mean, however, that other threats will not turn up in the future.