“These websites have not been compromised themselves, but are the victim of malvertising,” the researchers said Wednesday in a blog post. “This means an advertisement provider, providing its services to a small part of a website, serves malicious advertisement aimed at infecting visitors with malware.” Angler is among a menu of exploit kits available on underground forums and used in campaigns to own websites and redirect victims off to sites hosting banking malware and other types of malicious code. AppNexus, in May, was serving malicious ads targeting Microsoft’s Silverlight platform. Streaming film and television service Netflix runs on Silverlight, and because of its popularity, hackers have been loading malware kits such as Angler with Silverlight exploits. In the current campaign, the kit checks whether the victim’s browser supports a vulnerable version of Java or Flash, in addition to Silverlight, and then embeds and exploit that initiates a download of Asprox, Fox-IT said, which added that it has contacted AppNexus informing them of the issue. By being selective and displaying the rogue ads only to browsers that stored certain metadata, the attackers likely made it harder for site owners to detect the rogue content or to investigate reports from potentially affected users, as replicating the malicious behavior would have proven difficult. The attackers also took advantage of the real-time bidding process that’s used to serve ads based on user metadata like geographical location, browser type and Web browsing history. This mechanism allows advertisers to bid in real time to display their ads to visitors that meet certain criteria. “In the case of this malvertising campaign the malicious advertisers were the highest bidders,” the Fox-IT researchers said in their blog post. Photobucket, DeviantART and Oracle did not immediately respond to requests for comment about the malvertising attack that, according to Fox-IT, affected their websites. Given the selective targeting used in the attack it’s hard to know the number of victims. However, users who visited the affected sites recently, especially during the time frame specified by Fox-IT, should scan their computers for malware. There is no silver bullet to protect against this type of attack, but there are some methods to reduce the risk of compromise for users, the Fox-IT researchers said. These include enabling click-to-play for plug-in-based content in browsers that offer the feature, keeping browser plug-ins up to date, disabling plug-ins that are no longer needed and using ad blocking extensions.
