Massive malvertising attack poisons 288 sites

A malvertising campaign has swamped most of the Netherlands’ most popular sites, affecting millions of users.

The campaign began to take root on Sunday, when security firm Fox-IT noted a spike in incidents involving malware exploit kits.

Spotted among those kits was the notorious Angler: the CaaS, or Crimeware-as-a-Service, that crooks have chosen to spread such nasties as the CryptoWall 4.0 ransomware.

As of Monday, at least 288 websites had been infected with malvertising, exposing millions to poisoned ads.

One example of how far its tentacles have reached: the campaign has hit Nu.nl, the most-visited Dutch-language news portal.

Nu.nl alone is estimated to have scored more than 50 million visitors in March, according to Tech Week Europe.

Other affected sites include eBay-style service Marktplaats.nl and well-known news and culture sites, according to Fox-IT.

The campaign originated in an advertising platform used by the affected sites. Fox-IT has contacted the advertising provider, which, it said, responded quickly to block the malicious sites involved.

But while the sites serving up malicious code are now being filtered, they haven’t been knocked offline.

From Fox-IT’s post:

[The advertising providers] will be tracking down the affected content provider as this issue has not been fully resolved, it has simply been filtered for now.

The exploit works by loading external scripts that redirect toward an exploit kit.

These two domains have been implicated and should be blocked to help stop the redirects, according to Fox-IT:

traffic-systems.biz (188.138.69.136)
medtronic.pw (188.138.68.191)

How Angler hooks you

For a closer look at how an exploit kit works, check out this report from SophosLabs, where crimeware expert Fraser Howard takes a top-to-bottom look at Angler.

Fraser not only explains how the kit works, from preparing a funnel of victims to playing cat-and-mouse with security researchers, but also presents some vital insights into what you can do to fight back.

What is malvertising?

Angler is just one of the flavors of malware that malvertising can deliver.

Malvertising is short for malicious online advertising, which is where usually-trustworthy sites temporarily go rogue because one of the ads they display turns out to be booby-trapped and tries to foist malware or potentially unwanted content on your computer.

These poisoned-ad attacks have afflicted major news sites, including the Daily Mail and Forbes.

THIS is why people want their adblockers

Ironically, it turned out that Forbes was hit with malvertising immediately after pleading with visitors to please turn off adblocking, to protect its “free content” revenue stream.

But as we reported at the time, tests run by SophosLabs very quickly revealed well over 100 different ad-serving domains that Forbes uses on repeat visits, making turning off your adblocker a whole lot riskier than might appear at first blush.

Content providers argue that “free” content, subsidized by ads, will face extinction if we block ads, given how all the advertising money will be drained from “free”.

But with malware like the sharp-toothed Angler exploit kit out there ready to eat us alive, that’s about as smart as turning off your anti-virus because it just might gum up software installs.

There’s one word for both “turn-it-off” requests: DON’T!

Image of Netherlands flag courtesy of Shutterstock.com