A malvertising campaign has swamped most of the Netherlands’ most popular sites, affecting millions of users.
The campaign began to take root on Sunday, when security firm Fox-IT noted a spike in incidents involving malware exploit kits.
Spotted among those kits was the notorious Angler: the CaaS, or Crimeware-as-a-Service, that crooks have chosen to spread such nasties as the CryptoWall 4.0 ransomware.
As of Monday, at least 288 websites had been infected with malvertising, exposing millions to poisoned ads.
One example of how far its tentacles have reached: the campaign has hit Nu.nl, the most-visited Dutch-language news portal.
Nu.nl alone is estimated to have scored more than 50 million visitors in March, according to Tech Week Europe.
Other affected sites include eBay-style service Marktplaats.nl and well-known news and culture sites, according to Fox-IT.
The campaign originated in an advertising platform used by the affected sites. Fox-IT has contacted the advertising provider, which, it said, responded quickly to block the malicious sites involved.
But while the sites serving up malicious code are now being filtered, they haven’t been knocked offline.
From Fox-IT’s post:
[The advertising providers] will be tracking down the affected content provider as this issue has not been fully resolved, it has simply been filtered for now.
The exploit works by loading external scripts that redirect toward an exploit kit.
These two domains have been implicated and should be blocked to help stop the redirects, according to Fox-IT:
traffic-systems.biz (188.138.69.136)
medtronic.pw (188.138.68.191)
How Angler hooks you
For a closer look at how an exploit kit works, check out this report from SophosLabs, where crimeware expert Fraser Howard takes a top-to-bottom look at Angler.
💡 LEARN MORE: A closer look at the Angler exploit kit ►
Fraser not only explains how the kit works, from preparing a funnel of victims to playing cat-and-mouse with security researchers, but also presents some vital insights into what you can do to fight back.
What is malvertising?
Angler is just one of the flavors of malware that malvertising can deliver.
Malvertising is short for malicious online advertising, which is where usually-trustworthy sites temporarily go rogue because one of the ads they display turns out to be booby-trapped and tries to foist malware or potentially unwanted content on your computer.
These poisoned-ad attacks have afflicted major news sites, including the Daily Mail and Forbes.
THIS is why people want their adblockers
Ironically, it turned out that Forbes was hit with malvertising immediately after pleading with visitors to please turn off adblocking, to protect its “free content” revenue stream.
But as we reported at the time, tests run by SophosLabs very quickly revealed well over 100 different ad-serving domains that Forbes uses on repeat visits, making turning off your adblocker a whole lot riskier than might appear at first blush.
Content providers argue that “free” content, subsidized by ads, will face extinction if we block ads, given how all the advertising money will be drained from “free”.
But with malware like the sharp-toothed Angler exploit kit out there ready to eat us alive, that’s about as smart as turning off your anti-virus because it just might gum up software installs.
There’s one word for both “turn-it-off” requests: DON’T!
💡 LEARN MORE: Malvertising – When trusted websites go rogue (recorded webinar) ►
Image of Netherlands flag courtesy of Shutterstock.com
rc
What ad blockers does Sophos recommend?
Paul Ducklin
We’re not partial. Adblockers are a bit like air fresheners or washing-up liquids…try one or two and pick the one you like :-)
gregpbarth@gmail.com
Yet they cry about us blocking ads…
G.L.
There are a lot of adblockers now, a real jungle. I am myself using AdBlock Plus.
How about Sophos could do an adblock test with focus on which of them is most securite.
Mikko (@mikkokotila)
I like the way you are mentioning Forbes in this article, that is the key point. These big publishers are looking for legal trouble with their irresponsible behaviour. Not only they are making users’ more vulnerable as some gullible users think that they can trust Forbes et all to have their best interst in mind, but together with those users, they are in effect making the society more vulnerable. It would be good if you could share more of the sites though, because your title says 288 but the article mentions 4. Users need to know. Ad blocking technology companies need to know. Advocates need to know.
Damon Schultz
Surely this is a reason for publishers to host their own advertising, rather than rely on third-party ad serving networks? I manage advertising at a niche publisher. We sell all our own advertising; so we know every advertiser, every advert, and every click-through URL. Please correct me if I am wrong, but I don’t see any way such a maladvertising outbreak could affect us, or our website visitors?
So shouldn’t Forbes et al consider doing the same? After all, this is how all advertising used to be sold! Publishers (or perhaps their media agents) would call up advertisers (or their media buyers) directly and sell them the ad. I know the world has changed since then, but not for the better it seems…