Malvertising campaigns at multiple ad networks lead to Black Hole Exploit Kit

Malvertising campaigns at multiple ad networks lead to Black Hole Exploit Kit

Summary: Security researchers from Trusteer have detected several malvertising campaigns, affecting multiple ad networks, which attempt to serve client-side exploits, ultimately dropping malware through the Black Hole Exploit Kit.

SHARE:
TOPICS: Security
2

Security researchers from Trusteer have detected several malvertising campaigns affecting multiple ad networks, which attempt to serve client-side exploits, ultimately dropping malware through the Black Hole Exploit Kit.

According to the researchers:

About 9% of the exploits originated from Clicksor, but at least ten other ad networks were hosting similar malvertising campaigns, including: linkbucks.com, Hooqy Media Advertiser, traff.co, bannersbroker.com, adf.ly, paypopup.com, smsafiliados.com and exoclick.co

There are several ways for cybercriminals to take advantage of, if they want to reach the multi-million audience of these ad networks:

  • Socially engineering their way into the system through legitimate accounts - Just how easy is it to join an advertising network? Too easy, especially if you're a cybercriminal looking for ways to reach the audience of legitimate and high-trafficked Web properties. It has happened before, and it will happen again. For instance, in 2009, Gawker Media was tricked into featuring malicious Suzuki ads, which in reality attempted to exploit client-side vulnerabilities on the visitor's host. On the majority of occasions, cybercriminals would establish a bogus online identity for their company/product/service in an attempt to bypass the ad network's security practices -- if any -- and would later on reveal their true malicious nature, by abusing the access to the audience that they've gained.
  • By compromising legitimate advertiser accounts and using their trusted network reputation for malicious purposes - this is perhaps the most effective and efficient way that cybercriminals can take advantage of, if they were to target the audience of high-trafficked and legitimate Web sites. By gaining access to trusted advertisers within an ad network, they can easily abuse this reputation, by simply changing the URLS to their malware and exploits serving campaigns. How would they do that? By data mining a botnet's "infected population" for any kind of accounting data that they can steal and later on abuse.

Go through related posts:

Users are advised to ensure that they're running the latest version of their third-party software and browser plugins, in an attempt to mitigate the risks posed by the exploitation of outdated and already patched client-side vulnerabilities - the primary exploitation vector of the cybercrime ecosystem in general.

What do you think - How trusted are high profile "trusted" Web sites these days?

TalkBack!

Find out more about Dancho Danchev at his LinkedIn profile.

Topic: Security

Dancho Danchev

About Dancho Danchev

Dancho Danchev is an independent security consultant and cyber threats analyst, with extensive experience in open source intelligence gathering, malware and cybercrime incident response.

Kick off your day with ZDNet's daily email newsletter. It's the freshest tech news and opinion, served hot. Get it.

Talkback

2 comments
Log in or register to join the discussion
  • great info...

    Great article, Thanks. There is definitely a nice money making market available for businesses that can create ways that stop these current and future exploits.
    sg1efc
  • Awesome article ... but

    Is it ironic that chrome is blocking the majority of zdnet pages today citing "Content from cm.netseer.com, a known malware distributor, has been inserted into this web page. Visiting this page now is very likely to infect your Mac with malware."?
    farhanible