Top-flight US online publishers are serving up adverts that attempt to install ransomware and other malware on victims' PCs.
Websites visited by millions of people daily – msn.com, nytimes.com, aol.com, nfl.com, theweathernetwork.com, thehill.com, zerohedge.com and more – are accidentally pushing out booby-trapped adverts via ad networks, warn infosec researchers.
The adverts are built from exploit kits, which as the name suggests, are toolkits of code that exploit security vulnerabilities in browsers and plugins to gain control of computers.
Jérôme Segura, a senior security researcher at Malwarebytes, said that the malvertising campaign began slowly before ratcheting up into top gear on Sunday.
“The first couple of days before this campaign went big, we observed a few hits on smaller publishers that were pushing the RIG exploit kit,” Segura blogged. "On Sunday, when the attack really expanded, the Angler exploit kit was then used.”
Trend Micro reported on the same attack on Monday. The exploit kit downloads a variant of the Bedep backdoor which, in turn, drops a trojan, according to Trend Micro, which reckons “tens of thousands of users” have been affected by the attack.
"It's important to note that while these popular sites are involved in the infection process they are, much like infected clients, victim of malvertising," blogged Trustwave's SpiderLabs Research. "The only 'crime' here is being popular and having high volumes of traffic going through their sites daily."
SpiderLabs has de-obfuscated the malware's code, and found that it checks to see if any antivirus and security products are installed, and if not: it pulls in Angler using a HTML iframe.
Patching regularly, uninstalling Silverlight or setting plugins such as Flash to click-to-play, will defend against attacks from dodgy banner adverts. ®