Fraud , Risk Management

Why Malvertising Attacks Won't Stop

Exploit Kits Continue to Target Flash Flaws, Experts Warn
Why Malvertising Attacks Won't Stop

The recent seven-day malvertising campaign that ran via Yahoo's ad network demonstrates not just the challenge of finding these attacks, but the difficulty of blocking or eradicating them.

See Also: Hide & Sneak: Defeat Threat Actors Lurking within Your SSL Traffic

The frequency and severity of malvertising attacks has been increasing in recent months, driven in large part by "the abundance of fresh vulnerabilities and exploits," Jérôme Segura, a researcher with security firm Malwarebytes, tells Information Security Media Group. "All exploit kits on the market are primarily leveraging the recent Flash Player vulnerabilities, and it is paying off in a big way."

Indeed, for seven days, attackers successfully infiltrated Yahoo's advertising network, using it to redirect visitors to sites that host drive-by malware attacks, according to Malwarebytes, which detected the attacks and alerted Yahoo.

Yahoo has confirmed the attack campaign, which it reports blocking as of Aug. 3. "Yahoo is committed to ensuring that both our advertisers and users have a safe and reliable experience. As soon as we learned of this issue, our team took action to block this advertiser from our network," a spokeswoman says in a statement. "We take all potential security threats seriously. With that said, the scale of the attack was grossly misrepresented in initial media reports and we continue to investigate the issue."

Malvertising Targets

These types of "malvertising" attacks are regularly directed at all large Internet advertising networks and may attempt to directly infect viewers' devices with malware, or redirect them to a site that launches drive-by attacks (see Ransomware Attacks Subvert Ad Networks). Security experts say Yahoo is an obvious target for malvertising campaigns, given its size - the site recorded an estimated 6.9 billion visits in June, reports research firm SimilarWeb.

Estimated monthly visits to Yahoo. Source: SimilarWeb

Segura says that the "large scale attack" against Yahoo began July 28 and targeted a vulnerability in a previous version of Flash. He says the attacks were designed to redirect Yahoo site visitors to a landing page for the Angler Exploit Kit, which targets known vulnerabilities in browsers to take control of a device. According to Cisco, Angler successfully infects 40 percent of the systems to which it gets exposed, compared with 20 percent for the average crimeware toolkit.

Large websites typically rely on third-party advertising networks to serve relevant ads. But attackers also attempt to place ads on these networks, which can be used to redirect users to malicious sites. "Malvertising is a silent killer because malicious ads do not require any type of user interaction in order to execute their payload," Segura says in a blog post. "The mere fact of browsing to a website that has adverts - and most sites, if not all, do - is enough to start the infection chain."

Such attacks can be difficult to block outright because of the many third-party relationships involved. "The complexity of the online advertising economy makes it easy for malicious actors to abuse the system and get away with it," Segura says. "It is one of the reasons why we need to work very closely with different industry partners to detect suspicious patterns and react very quickly to halt rogue campaigns."

Large Firms Under Fire

Yahoo is just one of a number of firms that is regularly targeted by attackers who run malvertising campaigns. "The likes of Yahoo, Facebook, Apple and other big names, they are continuously targeted," Mark James, a security specialist at security firm ESET, tells Information Security Media Group. "The bad guys know that if they can get something on these type of Web pages, it's going to hit a lot of people quickly. Give them credit, Yahoo, they dealt with it quickly, they got it resolved, they got it stopped relatively quickly. They did do what they needed to do."

ESET's Mark James discusses the Yahoo malvertising incident.

Malvertising is a well-known problem with no easy solution. "Malicious advertising is difficult to prevent consistently, even for advertising services with a solid track record and who take effort to prevent sustained malicious advertising campaigns," threat-intelligence firm iSight Partners says in a research note.

Yahoo says that it actively battles "disruptive ad behavior" in part by using automated testing to identify attacks. The company also says that a majority of the advertisements it displays on its site are now served via so-called SafeFrame iFrame windows, which are designed to help block many of the technological ways that iFrames can be used in a malicious or deceptive way by either attackers or advertisers, for example to seize control of or spy on PCs.

But the recent Yahoo malvertising campaign appeared to be designed simply to redirect users - via two domains that attackers registered with Microsoft's cloud-computing platform Azure - to websites that attempted to infect them with the Angler Exploit Kit. "This is a rather unusual case and I don't really think Microsoft is to blame for this," Segura says. "But as Azure gets more and more popular, they will have to keep an eye for any kind of abuse - i.e. phishing, etc. - that usually comes with it."

While Malwarebytes researchers did not intercept the precise attack code being used in the Yahoo malvertising campaign, Segura says that Angler has recently been attempting to infect users with both Bedep ad-click malware and CryptoWall ransomware.

Exploit Kits Heart Flash

The malvertising campaign on Yahoo attempted to exploit a vulnerability in Flash that has been patched by Adobe. And while the Angler Exploit Kit - described by iSight Partners as being "one of the most effective and expensive kits available on the market" - regularly targets Flash, so too do most other crimeware toolkits (see Adobe Flash Is Under Attack - Again).

Security experts say that is because Flash flaws give criminals a reliable way to compromise PCs. For example, Trustwave's SpiderLabs says in a blog post that it recently gained access to the control panels for the latest, version 3 of the RIG Exploit Kit, and found that they had incorporated exploits for two Flash flaws that leaked via the hack of surveillance software firm Hacking Team (see Hacking Team Zero-Day Attack Hits Flash). The control panels reported that of the 1.25 million PCs they collectively infected - out of 3.5 million PCs attacked - about half were exploited via flaws in Flash.

Security experts have long called on enterprises to eliminate Flash because it's so often targeted by attackers, often using zero-day attacks.

But Segura argues that users should not have to discard Flash, provided they have installed a recent version that gives them greater control over when the plugin executes. "There is no question that Flash has been a major security concern over the past year and in particular because of repeated zero-day vulnerabilities being weaponized faster than [patches appear]," he says, "I don't think the long-term answer to any security problem is avoidance of a particular piece of software."

He does note, however, that anyone who continues to use Flash should at least "enable 'click to play' in Flash, which puts the user in control of when to let the plugin run."


About the Author

Mathew J. Schwartz

Mathew J. Schwartz

Executive Editor, DataBreachToday & Europe

Schwartz is an award-winning journalist with two decades of experience in magazines, newspapers and electronic media. He has covered the information security and privacy sector throughout his career. Before joining Information Security Media Group in 2014, where he now serves as the Executive Editor, DataBreachToday and for European news coverage, Schwartz was the information security beat reporter for InformationWeek and a frequent contributor to DarkReading, amongst other publications. He lives in Scotland.




Around the Network