As the title says, a number of popular websites, including The New York Times, BBC, The Hill, Newsweek, AOL, MSN, and several others, were victims of a malvertising campaign.
The attack hijacked the ad network from each of these websites, crooks used the Angler Exploit Kit to deliver Ransomware to the people visiting these websites.
Investigations conducted by experts at Trustwave, Trend Micro, and Malwarebytes reported a spike in malicious traffic over the weekend.
There is no clue if this was part of a larger coordinated effort, but the conclusion is that whoever did this, knew exactly what they were doing.
“We have just discovered an advertising campaign that has been placing malicious advertisements on very popular websites both in the US and internationally. “answers.com” (Alexa rank 420 Global and 155 in the US), “zerohedge.com” (Ranked 986 in the US) and “infolinks.com” (Ranked 4,649 Internationally) are only some of the big names that were recently found redirecting visitors to the Angler exploit kit through a malicious advertising campaign, and though malicious advertising has become part of our daily lives in the world of web security, this story is a little different.” states a blog post published by Trustwave.
“These days we’re practically used to the “standard” Malvertising campaigns where the placement of malicious advertisements on known ad provider networks leads potential victims to an exploit kits’ landing page.” Continues the post.
According to the experts at Trustwave, an experienced actor exploited an expired domain of a small but probably legitimate advertising company to launch the attack.
“This provides them with high quality traffic from popular web sites that publish their ads directly, or as affiliates of other ad networks, which our research has shown to lead to the Angler EK.” continues the post
Trend Micro reported that the attacks based on the Agler exploit kit increased in a significant way since March 9.
The innovation, in this case, was that crooks used recently expired domain as part of their campaign. By acquiring a recently expired domain, the threat actors are able to bypass some checks because the traffic appears as legit.
Malwarebytes connected the registration of two rogue domains to the attacks relaying on the Angler Exploit kit that hit during the week the visitors of the New York Times, MSN, BBC, AOL, The Hill, Newsweek, NFL.com, the Xfinity customer portal (my.xfinity.com), Realtor.com, and The Weather Channel.
They also explain very well, in an image what happens, when a user accesses one of this targeted websites, in this case assuming that DailyMail.com ads were compromised:
Crooks have chosen Ransomware to infect the victims because it offers a fast way to cash out the efforts.
As more and more variants of Ransomware appear, and since there are no costs once they pay the initial fee, we will keep see a rise in Ransomware during this year.
About the Author Elsio Pinto
Edited by Pierluigi Paganini
(Security Affairs – ransomware, Malvertising)