14 DAY TRIAL // Malicious, real-time advertisements serving browser exploits were inserted in the ad space of high-profile websites last week.
Between August 19 and August 22, visitors of Java.com, Deviantart.com, TMZ.com, Photobucket.com, IBTimes.com, eBay.ie, Kapaza.be and TVgids.nl were exposed to malware delivered through Angler exploit kit in advertisements from AppNexus, researchers at security firm Fox-IT say.
Users with outdated versions of Java, Adobe Flash Player or Microsoft Silverlight are targeted by the aforementioned exploit tool, which “would embed an exploit initiating a download of a malicious payload.”
“Please note, a visitor does not need to click on the malicious advertisements in order to get infected. This all happens silently in the background as the ad is loaded by the user’s browser,” warn the researchers in a blog post.
Fox-IT observed that Angler would drop Rerdom Trojan on the vulnerable systems; the malware is designed to download files from a malicious online location in order to compromise the computer.
One of the problems with getting rid of the malicious advertisements is that the exploit is delivered selectively based on metadata from the user: geographical location, browser type, and web browsing history.
For better success, advertisers engage in an automatic, real-time bidding process in order to show their ads to users that meet certain criteria. This makes the malicious ads more difficult to track. “In the case of this malvertising campaign the malicious advertisers were the highest bidders,” Fox-IT says.
On the same note, threat actors leveraged a method called “retargeting,” used by ad-networks to rotate the ads shown to the same visitor when they access the website multiple times, thus allowing customization of the service.
“The way it works is that a user with an interesting set of tracking cookies and other metadata for a certain adprovider is retargetted from the original advertisement content on the website to the modified or personalized data,” say Fox-IT researchers.
Among the methods that can be used for safeguarding against malvertising there is turning on the click-to-play feature in the web browser, which blocks the third-party plug-ins from running automatically.
Keeping the browser plug-ins up to date, either by using specialized software that alerts when a new security update is available or by performing the update manually, is also a good way to reduce the risk of compromise through malvertising.
Additional advice includes turning off unnecessary plug-ins, as well as employing ad-blocking applications, which can stop redirects.