Malwarebytes firm discovered a large scale malvertising exploiting Google’s DoubleClick and popular Zedo advertising agency to deliver malicious ad.
Experts at Malwarebytes security firm discovered that cyber criminals are exploiting a number of popular websites to serve malicious advertisements designed to spread the Zemot malware. Online advertising networks are once again a target of cyber criminals, according to the experts, the criminals exploited the Google’s DoubleClick and popular Zedo advertising agency to deliver malicious advertisements to millions of Internet. The list of popular websites used to spread the malicious advertisements is long and includes The Jerusalem Post, The Times of Israel and the Last.fm music streaming website,
The Zemot malware was detected by Microsoft earlier this month, as explained by the experts of the company, this family of trojan downloaders is frequently used by malware with a number of different payloads. Zemot is usually distributed by several exploit kit, including the Nuclear exploit kit and the Magnitude exploit kit.
Malvertising is a consolidated tactic in the underground ecosystem, recently experts at Fox-IT revealed in a blog post that the Internet firm AppNexus is the origin of a new “malvertising” campaign, which is based on the Angler Exploit Kit to redirect visitors to malicious websites serving the Asprox malware.
According to Fox-It, the malvertising campaign targeted visitors of high ranked websites, including Java.com, eBay.ie, Deviantart.com, TMZ.com, Photobucket.com, IBTimes.com, Kapaza.be and TVgids.nl. Last week visitors of the above websites were infected with such technique.
Experts at Malwarebytes sustain that the Malvertising campaign started in in late August reaching millions of Internet users, although only poorly protected computers were infected by the Zemot malware.
Jerome Segura, a senior security researcher with Malwarebytes, wrote in a blog post that the malicious advertisements lead users to websites containing Nuclear exploit kit, which looks for an unpatched version of Adobe Flash Player or Internet Explorer. If a user’s machine is not updated, it downloads the Zemot malware, which then contact its C&C server to download many other malicious payloads.
“What is important to remember is that legitimate websites entangled in this malvertising chain are not infected. The problem comes from the ad network agency itself.” said Segura.
Google has confirmed the breach, and confirmed that affected servers which were redirecting malicious code were shut down, the company also disabled the ads that delivered malware to user’s computers.
In time I’m writing researchers at Malwarebytes confirmed that the redirection has stopped.
Despite Malvertising attacks on a large scale are rare, the unique defense for Internet users in these cases is to keep their systems up-to date, with current antivirus and anti-malware protection.
Pierluigi Paganini is member of the ENISA (European Union Agency for Network and Information Security) Threat Landscape Stakeholder Group and Cyber G7 Group, he is also a Security Evangelist, Security Analyst and Freelance Writer.
Editor-in-Chief at "Cyber Defense Magazine", Pierluigi is a cyber security expert with over 20 years experience in the field, he is Certified Ethical Hacker at EC Council in London. The passion for writing and a strong belief that security is founded on sharing and awareness led Pierluigi to find the security blog "Security Affairs" recently named a Top National Security Resource for US.
Pierluigi is a member of the "The Hacker News" team and he is a writer for some major publications in the field such as Cyber War Zone, ICTTF, Infosec Island, Infosec Institute, The Hacker News Magazine and for many other Security magazines.
Author of the Books "The Deep Dark Web" and “Digital Virtual Currency and Bitcoin”.