Malwarebytes researcher Jerome Segura says malvertisers have served the world's most dangerous exploit kit - Angler - through compromised advertisements run on LiveJournal.com and news service Likes.com.
The attacks are the latest in a string of brazen and successful malvertising campaigns that are smashing the web's most popular websites.
It represents a colossal win for the malvertising criminals: Livejournal pulls 140 million clicks a month while Likes attracts some 110 million visitors.
Visitors to the sites or any other compromised through malvertising need only be served the malicious advertising to become victim and do not need to click on ads.
Segura says the criminals who hours earlier hosed Gumtree Australia visitors have again compromised legitimate businesses using their infrastructure and iconography to host what appear to be legitimate ads.
"Online criminals harvest registrant and domain credentials from legitimate companies via phishing attacks, or by using password stealers running on administrators’ machines," Segura says.
"They choose businesses that are most likely to offer a product or service and cleverly design an ad banner using some images and content from the site they are abusing.
"Last but not least, they register a subdomain with the stolen username and password to host that ad banner."
|Feature: Malware menaces poison ads as Google, Yahoo! look away.|
Those users who are victim to Angler, the most capable and popular of products on offer in the exploit kit market, can expect to be infected with malware including ransomware and banking trojans.
The attacks are brilliantly executed, making detection difficult and enforcement even more complicated.
Criminals use stolen infrastructure from legitimate businesses that would seem typical of the types of organisations to advertise on the targeted sites.
They also change the malicious advertisements to serve benign ads for a limited time in a bid to fool detection mechanisms and researchers like Segura.
Moreover they only target those using outdated software, lax security, and lame browsers like older versions of Internet Explorer, all of which increase the chances of infection.
Segura says a since-patched vulnerability in Internet Explorer allows attackers to scan victim machines and detect the presence of security software.
The attack follows the same procedure as the attack reported yesterday against Gumtree Australia targeting some of its 47.8 million monthly visitors with the Angler exploit kit.
The attacks are so successful because they exploits weaknesses in the global online advertising system, a high-paced and low-profit margin caper that leaves little room for integrity checks. ®
- Black Hat
- Cybersecurity and Infrastructure Security Agency
- Cybersecurity Information Sharing Act
- Data Breach
- Data Protection
- Data Theft
- Identity Theft
- Palo Alto Networks