14 DAY TRIAL // Over 120 million of users may have been exposed to a sneaky Flash ad that could infect them with malware without requiring any interaction like hovering or clicking on the advertisement.
After well over a month since any malvertising campaign has targeted users visiting adult portals, Malwarebytes disturbed this tranquility with news of a new and extremely dangerous campaign delivered with the help of a Flash ad hosted on AdXpansion, an adult advertising network.
The security vendor detected the malicious ad on five adult websites. These sites have a total monthly traffic of 122.9 million users.
First signs of the compromised Flash ad were seen on November 21, but Malwarebytes doesn't rule out the possibility of this ad being active before that.
Flash ad is leveraging insecure Flash cross-domain policies
As for the attack itself, the Flash ad leverages known exploits, loaded via the crossdomain.xml file. Details on how and why Flash cross-domain policies are dangerous were explained in one of our previous articles that dealt with a report from security specialist Julio Cesar Fort that showed that one in ten websites uses insecure policies for its crossdomain.xml file.
Other in-depth details about the actual exploit were also provided by Malwarebytes' security experts in a blog post from the start of November when the same technique was used to infect users with the CryptoWall ransomware.
In these particular attacks, whenever a browser would load the Flash ad, it would automatically load the exploit code as well. The exploit code is executed automatically, without any user interaction, as part of the Flash ad itself.
To only way to prevent such malvertising campaigns from reaching their target is if users are using an antivirus that can automatically detect the exploit attempt while it happens.
Malwarebytes says it contacted AdXpansion and informed the company of the presence of a malicious ad on their network. At the moment of our article, AdXpansion has not responded to Malwarebytes' emails.
