German surfers blitzed by widespread malvertising campaign

German surfers are under attack from multiple directions this week because of a widespread malvertising campaign.

Users of eBay.de and subscribers of ISP T-Online.de were confronted with tainted ads after cybercrooks succeeded in pushing malicious traffic through rogue systems.

The attacks began after hackers circumvented reputable ad networks, including German ad-serving technology platform MP NewMedia, before assaulting top publishers and ad networks, security firm Malwarebytes reports.

The malign ad campaign is being funnelled through doppelgänger systems. “We spotted two bogus ad servers which bear the same structure that was inspired by the legitimate German platform they were abusing: www1.mpnrs.com/deliver2/deliver2?,” Jérôme Segura, a senior security researcher at Malwarebytes, writes in a blog post on the attack.

“A quick lookup on these domain names easily reveals that they are completely bogus. The domains were registered the day before the malvertising campaign started, and the admin’s email address is, well, pretty obviously untrustworthy,” he added.

Publishers logged as affected by this attack by Malwarebytes (there may be others) are all restricted to Germany and include ebay.de, t-online.de and arcor.de, swp.de, fischkopf.de and donaukurier.de.

In each case the rogue advertiser managed to display its ads, which were ultimately geared towards exposing users to attacks served up through either the Angler or Neutrino Exploit Kits. Malwarebytes notified the affected publishers as well MP NewMedia, which has reportedly dealt with the issue.

Security firm Invincea independently detected the T-Online front of this malvertising attack last weekend, as an advisory by the endpoint security specialist explains.

During 16-18 October, the homepage of German broadband provider T-Online delivered malvertising Trojans when users logged out of their webmail accounts.

The Trojans are related to the Tinba, or Tiny Banking Trojan and rootkit family, which persists on the host and captures online banking credentials.

In addition to banking Trojans, Bedep click-fraud bots were also delivered, which would turn an endpoint into a “zombie host” that would secretly click advertisements in an invisible browser.

T-Online was likely not aware that its website was being abused by malvertisers, but any visitors to that popular site from Friday through Sunday could have been compromised.

Although T-Mobile and other problems emanating from MP NewMedia have apparently being dealt with, Malwarebytes reckons the campaign may still be going on via other ad networks. “We advise caution and as usual the recommendation of keeping your systems up to date with multiple layers of defence is the best way to fight malvertising and drive-by download attacks,” Segura concludes. ®