Tag Archives: ad networks

Dating site users infected with banking Trojan after malvertising attack

A popular dating site and a huge telecommunications company were hit with malvertising.

Hacker at work

Trusted websites can be hit with malvertising

Popular dating site Plenty of Fish (POF) and Australian telco giant Telstra were infected with malicious advertising from late last week over the weekend. The infection came from an ad network serving the advertisements that the websites displayed to their visitors.

Malvertising happens when cybercrooks hack into ad networks and inject malicious code into online advertising. These types of attacks are very dangerous because web users are unaware that anything is wrong and do not have to interact in any way to become infected. Just last week, other trusted sites like weather.com and AOL were attacked in the same way. In the Telstra and POF attacks, researchers say that a malicious advertisement redirected site visitors via a Google URL shortener to a website  hosting the Nuclear Exploit kit which infected users with the Tinba Banking Trojan.

Malwarebytes researchers observed an attack before the POF discovery and surmised in their blog, “Given that the time frame of both attacks and that the ad network involved is the same, chances are high that pof[dot]com dropped that Trojan as well.” In turn, the Telstra attack was similar to the Plenty of Fish attack.

In an interview with SCMagazineUK.com, Senior Malware Analyst Jaromir Horejsi said,

“To protect themselves from malvertising, people should keep their software, such as browsers and plugins up-to-date, adjust browser settings to detect and flag malvertising. They should also have antivirus software installed to detect and block malicious payloads that can be spread by malvertising.”

The people at the highest risk are those website visitors with out-of-date software like Adobe Flash, Windows, or Internet Explorer. They could find their PC infected with the Tinba Banking Trojan, which is known for stealing banking credentials.  Tinba aka Tiny Banker went global last year when it targeted banks like Wells Fargo, HSBC, Bank of America, and ING Direct. The success of the Trojan relied heavily on a bank customer’s system being vulnerable because of out-of-date software.

For more protection, use security software such as Avast Antivirus with the Software Updater feature. Software Updater informs you about updates and security patches available for your computer.


 

Follow Avast on FacebookTwitterYouTube, and Google+ where we keep you updated on cybersecurity news every day.

Infected ad networks hit popular websites

Infected ads can be dangerous to your computerIt is frustrating when your antivirus protection stops you from visiting a website that you know and trust, but these days even the most popular websites can fall prey to attacks.

This week security researchers discovered booby-trapped advertisements on popular websites including eBay, The Drudge Report, weather.com, and AOL. The ads, some of which can be initiated by a drive-by attack without the user’s knowledge or even any action, infected computers with adware or locked them down with ransomware.

Computer users running older browsers or unpatched software are more likely to get infected with malware just by visiting a website. Avast blocks these infected ads, but to be safe, please use the most updated version. To update your Avast, right-click the Avast Antivirus icon in the systems tray at the bottom-right corner of your desktop. From the menu, select Update.

“This kind of malvertising is a fairly easy way for cybercriminals to deliver adware or another malicious payload. Many websites sell advertising space to ad networks then deliver the targeted ads to your screen,” said Avast Virus Lab researcher Honza Zika. “All Avast users with current virus databases are fully protected against this attack, but those without protection or up-to-date security patches run the risk of being infected with ransomware.”

Malicious ads have appeared on legitimate websites for years now. In 2010, Jiri Sejtko, the director of Avast Virus Labs reported on ads poisoning and predicted that “The ad infiltration method is growing in popularity alongside with the web site infections. Now we are facing probably the biggest ad poisoning ever made.” In the years following, many legitimate sites have suffered this attack notably Reuters, Yahoo, and Youtube.

For a more technical explanation of how infected ad networks work, read the study done by Avast Virus Lab analysts, Malvertising and OpenX servers.

How to protect yourself from infected ad networks

Since infected ads can appear on legitimate sites that you normally visit with no problem, you have to trust your antivirus protection to do it’s job. Here are some steps you can take to protect yourself’

    1. 1. Make sure your antivirus protection is up-to-date and that you have applied security patches to software.
    2. 2. Disable Adobe Flash and Java. Cybercrooks often exploit the vulnerabilities in these services.
    3. 3. It may seem drastic, but you can even get an Ad-blocker browser plug-in to stop all ads from showing. The downside is that you miss something that could actually be useful.

 

Follow Avast on Facebook, Twitter, YouTube, and Google+ where we keep you updated on cybersecurity news every day.

Malvertising is bad for everyone but cybercriminals

One rotten malvertisement not only ruins the bunch, but can damage your SMB's reputation.

One rotten malvertisement not only ruins the bunch, but can damage your SMB’s reputation.

Malvertising, sounds like bad advertising right? It is bad advertising, but it doesn’t necessarily include a corny jingle or mascot. Malvertising is short for malicious advertising and is a tactic cybercriminals use to spread malware by placing malicious ads on legitimate websites. Major sites like Reuters, Yahoo, and Youtube have all fallen victim to malvertising in the past.

How can consumers and SMBs protect themselves from malvertising?

Malvertising puts both website visitors and businesses at great risk. Site visitors can get infected with malware via malvertising that either abuses their system or steals personal data, while businesses’ reputations can be tarnished if they host malvertisments. Even businesses that pay for their ads to be displayed on sites can suffer financial loss through some forms of malvertising because it can displace your own ads for the malicious ones.

To protect themselves, small and medium sized businesses should make sure they use the latest, updated version of their advertisement system, use strong passwords to avoid a dictionary attack and use free Avast for Business to discover and delete malicious scripts on their servers. Consumers should also keep their software updated and make sure they use an antivirus solution that will protect them from malicious files that could turn their PC into a robot, resulting in a slowed down system and potential privacy issues. Avast users can run Software Updater to help them identify outdated software.

How does malvertising work?

Businesses use ad systems to place and manage ads on their websites, which help them monetize. Ad systems can, however, contain vulnerabilities. Vulnerabilities in general are a dream come true for cybercriminals because vulnerabilities make their “jobs” much easier and vulnerabilities in ad systems are no exception. Cybercriminals can take advantage of ad system vulnerabilities to distribute malicious ads via otherwise harmless and difficult to hack websites.

Why cybercriminals like malvertising

Cybercriminals fancy malvertising because it is a fairly simple way for them to trick website visitors into clicking on their malicious ads. Cybercriminals have high success rates with malvertising, because most people don’t expect normal looking ads that are displayed on websites they trust to be malicious. Targeting well-visited websites, not only raises the odds of ad clicks, but this also allows cybercriminals to target specific regions and audiences they normally wouldn’t be able to reach very easily. Another reason why malvertising is attractive to cybercriminals is because it can often go unnoticed, as the malicious code is not hosted in the website where the ad is being displayed.

Examples of malvertising

An example of an ad system platform with a rich history of vulnerabilities is the Revive Adserver platform, formerly known as OpenX. In the past attackers could obtain administrator credentials to the platform via an SQL injection. The attackers would then upload a backdoor Trojan and tools for server control. As a result, they were able to modify advertising banners, which redirected site visitors to a website with an exploit pack. If the victim ran outdated software, the software would download and execute malicious code.

Another malware family Avast has seen in the wild and reported on that spread via malvertising was Win32/64:Blackbeard. Blackbeard was an ad fraud / click fraud family that mainly targeted the United States. According to our telemetry, Blackbeard infected hundreds of new victims daily. Blackbeard used the victim’s computer as a robot, displaying online advertisements and clicking on them without the victim’s knowledge. This resulted in income for botnet operators and a loss for businesses paying to have their ads displayed and clicked.