Popular internet security company Malwarebytes, which makes anti-malware for both home users and businesses, has uncovered a malvertising exploit that it believes has been ongoing for around three weeks. According to the firm, the malvertising campaign is the biggest one discovered of its kind in recent months – affecting ten different ad domains and generating an enormous amount of traffic.
The malvertising exploit was specifically aimed at people visiting websites that offer pirated content. These included torrent sites, live streaming sites, and sites that offer download options for pirated software. From there, the harmful adverts would redirect web browsers automatically to an online casino,
‘The malicious ads would automatically (no click required) redirect users to a casino website used as decoy to silently load malicious iframes from disposable domains which ultimately lead to the Angler exploit kit. In one case, the casino website was a direct gateway to Angler EK.’
Angler EK and Neutrino EK are two similar kinds of exploit kits commonly known as ‘drive-by downloads’ – so called because of the ephemeral nature of their distribution. Infection by these unwanted exploits nearly always occurs via an automatic redirect (usually from a site the user wanted to visit) that leads users to a malicious site controlled by the hacker (on this occasion the decoy casino websites). The casino sites used for the purpose of spreading malware on this occasion are believed to have been pennyslot.net, playcasino77.com and onlinecasinofun.org.
Revealing of the lengths that hackers go to infect computers, Malwarebytes explains that on arrival at those decoy websites users were first infected with malicious iframes that redirected them to one of the two exploit kits (though Malwarebytes has confirmed that one of the casino websites was a direct gateway to Angler EK).
As scary as those exploit kits sound (and they are), unfortunately, they are not the final stage in the infection process. The job of both Angler and Neutrino is actually to find a vulnerability (by probing a computer system) and then deploy malware. Only once a weakness has been uncovered does the kit deliver that malware – which during the 3 week period that this scam has been operational was in fact over 30 different ‘payloads’. ‘The infamous CryptoWall ransomware as well as the Bunitu Trojan,’ were amongst those payloads – confirms Jerome Segura on the Malwarebytes blog.
It is believed that the success of this particular malvertising campaign (which Malwarebytes believes may have put an unusually large number of people at risk) was down to the specific sites that it targeted. The nature of those locations (referred to as ‘dubious publishers’ by Malwarebytes) likely led people to feel that they could not report any unusual activity noticed on their machines: for fear that they might be caught out for downloading pirated material.
The reason that Malwarebytes believes so many people were hit, is that the ad networks used to orchestrate the hack get a lot of traffic. According to SimilarWeb, an internet traffic analytics site – those ad networks generated 2 billion visits in October alone – and although that is not a direct indication of how many people were affected, it does give a suggestion of the larger relative numbers that the hacker was attempting to expose.
This is not the only recent malvertising scam exposed by Malwarebytes, either. Only a fortnight ago, the company revealed that soccer fans may have been exposed to a very similar attack. That is because the Premier League’s official fantasy league website was also targeted by hackers seeking to infect visitors via adverts. On that occasion, statistics provided by SimilarWeb revealed the official site gets around 16 million visitors per month – demonstrating that it is not only people that participate in illegal activities that can fall prey to such scams.
While it is hard not to fall prey to the sometimes rather sophisticated actions of these cold hearted cyber criminals, making sure that you have a good virus and malware detector (that performs regular security updates) can stand you in good stead if you want to protect yourself as much as possible from these scams. Do not forget that the reason hackers work so hard to get malware onto computers is because they intend to make money out of you – a point that is sometimes too easily pushed to the back of the mind – until it is too late.
Ad Cash, the advertising company affected by the recent casino malvertising sting have released the following statement,
‘We encourage a culture of “full disclosure” and will proactively investigate any potentially non-compliant campaigns that are reported to us and use that information to improve our product, processes and services.’