Malware menaces poison ads as Google, Yahoo! look away

Booming attack vector offers mass malware distribution, stealthy targeting


Mad men

Malvertising campaigns are something criminal groups can keep in-house or pull off by paying outsiders. The service-based cyber-crime model is well-greased and allows for bad guys to pay niche experts for encryption, stolen traffic, and so on.

Independent French malware researcher Kafeine (@kafeine) points out operators on underground forums who are selling stolen traffic relating to malvertising with prices ranging from US$4000 for 100,000 multi-geographic hits (known in the marketplace as 'loads') to US$70 for 1000. By country, GrandClix sold United States traffic for the highest buck with US$500 for 1000 hits, and Australia and the United Kingdom attracting US$450 for the same amount.

Some groups do not need to outsource. "Depending on the individual case, some groups are almost owning the whole chain," Kaffeine says. "From the malvertising to the command and control of the malware loaded onto victims - they just rent the exploit kit slot."

Cisco's Schultz points out much the same, illustrating in March how one group had a "business relationship" with malvertising redirectors who offered the necessary traffic for the criminals to foist and fund their pay-per-install malware.

Both Kafeine, a skilled anti-cyber crime boffin, and Patrick Belcher (@BelchSpeak), senior researcher for security firm Invincea, say a single actor, judging by its tools, tactics, and procedures, is behind the recent major malvertising attacks against Yahoo! and big news sites.

That actor known as Fessleak has popped Yahoo! News, Huffington Post, and AOL among dozens of others serving the Kovter malware and using various exploit kits. The Invincea man says the actor is a "lone wolf" focused mainly on bedep click-fraud or advertising fraud bots. "He buys ads for three bucks from an ad company and then defrauds them out of $1000s from ad fraud," he says.

Another group Belcher has yet to reveal is a Russian outfit called ISGroup and so dedicated it created an entire fake company website dedicated to solar energy to deliver a single convincing malvertisement which foists the Rovnix rootkit.

Google was one of the advertising companies that facilitated that attack. "The whole reason for the front company was to sneak past the vetters (ad networks)," he says.

Experts agree the sophistication of the attacks and the channels that allow criminals to pull it off are set to improve to take advantage of the huge profits on offer. For some $6000 of investment, the Mad Hatter found criminals can inflict more than US$500,000 in damages.

Similar topics


Other stories you might like

  • CISA and friends raise alarm on critical flaws in industrial equipment, infrastructure
    Nearly 60 holes found affecting 'more than 30,000' machines worldwide

    Updated Fifty-six vulnerabilities – some deemed critical – have been found in industrial operational technology (OT) systems from ten global manufacturers including Honeywell, Ericsson, Motorola, and Siemens, putting more than 30,000 devices worldwide at risk, according to private security researchers. 

    Some of these vulnerabilities received CVSS severity scores as high as 9.8 out of 10. That is particularly bad, considering these devices are used in critical infrastructure across the oil and gas, chemical, nuclear, power generation and distribution, manufacturing, water treatment and distribution, mining and building and automation industries. 

    The most serious security flaws include remote code execution (RCE) and firmware vulnerabilities. If exploited, these holes could potentially allow miscreants to shut down electrical and water systems, disrupt the food supply, change the ratio of ingredients to result in toxic mixtures, and … OK, you get the idea.

    Continue reading
  • 1Password's Insights tool to help admins monitor users' security practices
    Find the clown who chose 'password' as a password and make things right

    1Password, the Toronto-based maker of the identically named password manager, is adding a security analysis and advice tool called Insights from 1Password to its business-oriented product.

    Available to 1Password Business customers, Insights takes the form of a menu addition to the right-hand column of the application window. Clicking on the "Insights" option presents a dashboard for checking on data breaches, password health, and team usage of 1Password throughout an organization.

    "We designed Insights from 1Password to give IT and security admins broader visibility into potential security risks so businesses improve their understanding of the threats posed by employee behavior, and have clear steps to mitigate those issues," said Jeff Shiner, CEO of 1Password, in a statement.

    Continue reading
  • Info on 1.5m people stolen from US bank in cyberattack
    Time to rethink that cybersecurity strategy?

    A US bank has said at least the names and social security numbers of more than 1.5 million of its customers were stolen from its computers in December.

    In a statement to the office of Maine's Attorney General this month, Flagstar Bank said it was compromised between December and April 2021. The organization's sysadmins, however, said they hadn't fully figured out whose data had been stolen, and what had been taken, until now. On June 2, they concluded criminals "accessed and/or acquired" files containing personal information on 1,547,169 people.

    "Flagstar experienced a cyber incident that involved unauthorized access to our network," the bank said in a statement emailed to The Register.

    Continue reading

Biting the hand that feeds IT © 1998–2022