It's been nine years since the first malicious advertising attack was discovered using poisoned banner ads on MySpace, Excite and Rhapsody. As we look back at 2016, it is clear that malvertising continues to affect every segment of the ad-supported internet. Some of the biggest names in the online advertising industry – Google and Yahoo – and some of the biggest publishing brands – New York Times, the British Broadcasting Corporation (BBC), AOL and Spotify – found themselves facing serious embarrassment because of malicious advertisements on their web properties.
2016 showed that malvertising continues to be a successful and easy way to infect users. Instead of relying on spamming out links to infected websites, cyber-criminals simply compromise advertising networks and use specialized scripts and cunning techniques to host (or infect) malicious ads on popular, high-traffic websites. The end result is end users being infected with some of the most virulent computer threats, including the newest ransomware scourge.
Malvertising continues to be extremely difficult to track as cyber-criminals use clever tricks to get around security controls. In multiple cases during 2016, security experts noticed cyber-criminals removing the malicious code from their ads an hour or two after launching the attacks, making it nearly invisible to track.
Several major malvertising attacks discovered in 2016 show that this threat is here to stay and confirms that malvertising can only be properly policed via automated systems that scan for malicious ad activity.
In the true fashion of end-of-year posts, here are the top five malvertising attacks discovered in 2016:
1. Malvertising Meets Ransomware
In 2016, the malvertising epidemic got worse when purveyors of ransomware joined the fray. In one high-profile attack, the New York Times, the BBC, AOL and NFL were tricked into running malicious ads that hijacked computers, encrypted user data and demanded ransom payments for recovery keys. Combined, the targeted web sites had traffic in the billions of visitors.
In the ransomware attacks, the hackers inserted ads that contained malicious software into legitimate online ad networks. The ad networks then distributed the compromised advertising to websites, which served them to visitors. The software then locked visitors out of computer files and demanded a ransom for access.
The malvertising ransomware attack was delivered through multiple ad networks, including Google, AOL, AppNexus and Rubicon. The exploit kit associated with this attack used a number of vulnerabilities, including a recently-patched flaw in Microsoft Silverlight.
2. Hiding Attack Code in Banner Pixels
The year 2016 came to an end with a clever malvertising attack that borrowed from practice of steganography, where secret messages are concealed inside a larger document. For two months beginning in October 2016, millions of web surfers visiting popular web sites fell victim a new form of malicious ads that embed attack code in individual pixels of the banner ads.
Millions of web surfers encountered the display ads, which promoted applications calling themselves “Browser Defence” and “Broxu” using banners similar to the ones below:
Source: ESET Security
These advertisement banners were stored on a remote domain with the URL hxxps://browser-defence.com and hxxps://broxu.com. Without requiring any user interaction, a initial script reports information about the victim’s machine to the attacker’s remote server. Based on server-side logic, the target is then served either a clean image or its almost imperceptibly modified malicious evil twin.
The malicious code was hidden in parameters controlling the transparency of pixels used to display banner ads. While the attack code alters the tone or color of the images, the changes are largely invisible. Using multiple scripts, the ads redirected victims to an exploit kit known as Stegano and loaded an Adobe Flash file that is able to exploit three different vulnerabilities (CVE-2015-8651, CVE-2016-1019, CVE-2016-4117), depending on the version of Flash found on the victim’s system.
Security researchers discovered the attacks on major news sites in the United Kingdom, Australia and Canada, including Channel 9, Sky News, and MSN.
3. Yahoo Under Siege
In June 2016, web portal and online advertising giant Yahoo fell victim to a malvertising campaign that affected users in the United Kingdom, Australia and New York. In this malvertising attack, users saw an ad that purported to offer checks for the speed of their site but, if the user clicked on the ad, they were redirected to a landing page offering the download and installation of an extension. Once downloaded, the extension set the homepage of the user’s browser to be the homepage of the website of the advertiser: http://www.checkspeedsearch.com/fast?first-run.
As we warned at the time, this led to Trojan installations with a “severe” rating. Trojan infections typically allow hackers to download and install other malware, perform click-fraud, hijack sensitive information and provide remote access to the compromised machine.
This malvertising campaign worked on multiple major browsers, including Microsoft’s Internet Explorer and Google Chrome.
4. Spotify Faces the Music
Users of the free version of the popular streaming music service Spotify got more than just songs for a few days in 2016. Spotify admitted that listeners were served "questionable website pop-ups" that continually opened up a device's browser. The company did not provide technical details of the hack but users publicly reported multiple URL redirections from the Spotify Free players to pop-under ads and fake security warnings.
In addition to shady pop-ups, Spotify Free users reported malware infections across platforms (Windows, Mac OS X and Linux). The malvertising attack potentially affected tens of millions of computer users. Spotify blamed the malvertising on a single ad unit.
5. Malvertising on Google Adwords
In November 2016, Google Adwords, the company’s flagship pay-per-click advertising network fell victim to a malvertising campaign when the search term “Google Chrome” was used.
The campaign targeted Apple Mac OS X users and tricked users into downloading a malicious installer identified as 'OSX/InstallMiez' (or 'OSX/InstallCore'). The malvertising campaign targeting users searching for "Google Chrome" on google.com used a display URL of 'www.google.com/chrome'. However, clicking on the ad led Windows users to a page that delivers an error message that claims there is a DNS failure. Mac users, however, are redirected through a variety of other domains and ultimately infected with a malicious installer.
According to Cylance research, the malicious download link redirects macOS users through ttb(dot)mysofteir(dot)com, servextrx(dot)com, and www(dot)bundlesconceptssend(dot)com then ultimately downloads a malicious file named FLVPlayer.dmg. The malware hash changes on each download, making it difficult to detect and track.
Once the installatiation completed, the browser is redirected to a scareware page at ic-dc(dot)guardtowerstag(dot)com. Clicking on the link takes the user to macpurifier(dot)com – a potentially unwanted program (PUP) claiming to clean up OS X computers.
What to Expect in 2017
The prevalence of malvertising has pushed browser and operating system makers to tighten security controls. It has led to pop-up blocking/anti-scripting technologies and automated patching solutions. Because malvertising in powerful, effective and profitable, we expect the use of rigged ads on high-traffic sites to continue to grow and expand in 2017. If you want to protect the user experience, then talk to us, the experts in malvertising protection and ad quality monitoring online and on mobile.