Malvertising campaign strikes top websites worldwide

Web domains including The New York Times, BBC, AOL and MSN became victims of the campaign, designed to spread the Angler exploit kit.
Written by Charlie Osborne, Contributing Writer

Popular websites across the world fell prey to a malicious advertising campaign which sent unwitting visitors to the Angler exploit kit which serves TeslaCrypt ransomware.

A number of security firms detected and reported a spike in malicious traffic which took place over the weekend. Researchers from Trustwave, Malwarebytes and Trend Micro said the spike in malicious traffic impacted a number of high-ranked Alexa websites, and was caused by a malvertising campaign which served malicious adverts to visitors.

The campaign led to the Angler exploit kit, which contained not just ransomware, but also a Trojan used for surveillance and data theft.

The malvertising campaign, whether part of a coordinated effort or the responsibility of one organised fraudster group, reportedly spread across websites belonging to companies including the BBC, The New York Times, AOL, MSN and answers.com.

Trend Micro reports that the campaign may have affected tens of thousands of users within only 24 hours of being live.

Malvertising is the use of malicious adverts to spread malware. Many Internet domains rely on adverts supplied by third-party ad networks in order to generate enough revenue to stay afloat, and unfortunately, sometimes fraudulent and fake adverts slip through the net.

It is important to note that legitimate websites which serve malicious ads are often as much of a victim as their users since they do not have control over these external ad networks.

Either way, though, once a malicious ad is successfully hosted on a legitimate website, it can link to domains controlled by cyberattackers and files such as the Angler exploit kit.

In some cases, simply loading the page is enough for the malicious ad to check for browser vulnerabilities and potentially infect a visitor's system.

The higher the rates of traffic, the more likely the campaign is to be successful and infect systems before removal.

According to Trustwave, the cyberattacker behind this malvertising campaign "acquired an expired domain of a small but probably legitimate advertising company in order to utilize this for malicious purposes," providing them with the avenue to exploit high-ranking websites through BrentsMedia.com.

"BrentsMedia was probably a legitimate business, and though we can't know for sure, it's likely that the people behind this operation are trying to ride on the reputation the domain had and abuse it to trick ad companies into publishing their malicious ads," Trustwave says.

The fraudulent advert used in the campaign contained a heavily-obfuscated JavaScript file with more than 12,000 lines of code -- almost 11,000 more than usual -- which included protections to avoid detection for as long as possible.

The malicious ad attempted to filter out both security researchers and website visitors with antivirus products and patched systems, which would ensure exploit would not be successful.

However, if a visitor was using an unpatched system and has no anti-malware scans running, the victim would be sent to the Angler kit, which contained both the Bedep Trojan and TeslaCrypt ransomware. This exploit kit is the only one currently known to include an exploit for Microsoft's Silverlight vulnerability, which was patched in January this year.

Researchers at Malwarebytes also listed a number of other rogue domains which were serving malware, which may or may not be linked to the main malvertising scheme.

Malvertising campaigns are often quickly detected and pulled, but if you are running a vulnerable browser and happen to visit domains unwittingly serving malicious ads, you may become a victim -- further highlighting how important it is for users to keep their systems up-to-date and patched.

2016: The best high-end laptops for business users

Read on: Top picks

Editorial standards