430,000 FortiGate Devices Exposed in FortiBleed Ransomware Link|Adobe fixed multiple maximum-severity flaws in ColdFusion and Campaign Classic|Alleged Scattered Spider Hacker Extradited to U.S. to Face Cybercrime Charges|Oracle E-Business Suite Flaw Under Active Attack, 950 Systems Exposed|Azure CLI Targeted in LSHIY Password Spray Campaign Across 64 Orgs|CISA Warns BlueHammer Flaw Is Now Exploited in Ransomware Attacks|RustDuck: The Botnet That’s Still Small but Engineering Like It Plans to Grow|GuardFall Flaw Hits 10 of 11 Popular Open-Source AI Agents|XSS.is, The Forum That Ran the Ransomware Supply Chain Is Down. The Market Isn’t|U.S. CISA adds SimpleHelp flaw to its Known Exploited Vulnerabilities catalog|Hackers Steal Data of 4.38 Million Aflac Japan Customers|Apple Fixes WebKit Flaws in iOS and macOS, With Help From AI Tools|430,000 FortiGate Devices Exposed in FortiBleed Ransomware Link|Adobe fixed multiple maximum-severity flaws in ColdFusion and Campaign Classic|Alleged Scattered Spider Hacker Extradited to U.S. to Face Cybercrime Charges|Oracle E-Business Suite Flaw Under Active Attack, 950 Systems Exposed|Azure CLI Targeted in LSHIY Password Spray Campaign Across 64 Orgs|CISA Warns BlueHammer Flaw Is Now Exploited in Ransomware Attacks|RustDuck: The Botnet That’s Still Small but Engineering Like It Plans to Grow|GuardFall Flaw Hits 10 of 11 Popular Open-Source AI Agents|XSS.is, The Forum That Ran the Ransomware Supply Chain Is Down. The Market Isn’t|U.S. CISA adds SimpleHelp flaw to its Known Exploited Vulnerabilities catalog|Hackers Steal Data of 4.38 Million Aflac Japan Customers|Apple Fixes WebKit Flaws in iOS and macOS, With Help From AI Tools|
Advertisement

Ad Placeholder

Full Width × 90

Breaking News

Several Top websites as BBC, New York Times AOL, MSN and others victims of malvertising

Security experts from various firms have discovered a malvertising campaign that has been placing malicious ads on very popular websites like BBC and NYT. As the title says, a number of popular websites, including The New York Times, BBC, The Hill, Newsweek, AOL, MSN, and several others, were victims of a malvertising campaign. The attack […]

Several Top websites as BBC, New York Times AOL, MSN and others victims of malvertising

Security experts from various firms have discovered a malvertising campaign that has been placing malicious ads on very popular websites like BBC and NYT.

As the title says, a number of popular websites, including The New York Times, BBC, The Hill, Newsweek, AOL, MSN, and several others, were victims of a malvertising campaign.

The attack hijacked the ad network from each of these websites, crooks used the Angler Exploit Kit to deliver Ransomware to the people visiting these websites.

Investigations conducted by experts at Trustwave, Trend Micro, and Malwarebytes reported a spike in malicious traffic over the weekend.

There is no clue if this was part of a larger coordinated effort, but the conclusion is that whoever did this, knew exactly what they were doing.

We have just discovered an advertising campaign that has been placing malicious advertisements on very popular websites both in the US and internationally. “answers.com” (Alexa rank 420 Global and 155 in the US), “zerohedge.com” (Ranked 986 in the US) and “infolinks.com” (Ranked 4,649 Internationally) are only some of the big names that were recently found redirecting visitors to the Angler exploit kit through a malicious advertising campaign, and though malicious advertising has become part of our daily lives in the world of web security, this story is a little different.” states a blog post published by Trustwave.

“These days we’re practically used to the “standard” Malvertising campaigns where the placement of malicious advertisements on known ad provider networks leads potential victims to an exploit kits’ landing page.” Continues the post.

According to the experts at Trustwave, an experienced actor exploited an expired domain of a small but probably legitimate advertising company to launch the attack.

“This provides them with high quality traffic from popular web sites that publish their ads directly, or as affiliates of other ad networks, which our research has shown to lead to the Angler EK.” continues the post

Trend Micro reported that the attacks based on the Agler exploit kit increased in a significant way since March 9.
malvertising campaign March 2016

The innovation, in this case, was that crooks used recently expired domain as part of their campaign. By acquiring a recently expired domain, the threat actors are able to bypass some checks because the traffic appears as legit.

Malwarebytes connected the registration of two rogue domains to the attacks relaying on the Angler Exploit kit that hit during the week the visitors of the New York Times, MSN, BBC, AOL, The Hill, Newsweek, NFL.com, the Xfinity customer portal (my.xfinity.com), Realtor.com, and The Weather Channel.

They also explain very well, in an image what happens, when a user accesses one of this targeted websites, in this case assuming that DailyMail.com ads were compromised:

malvertising campaign March 2016 attack scheme

Crooks have chosen Ransomware to infect the victims because it offers a fast way to cash out the efforts.

As more and more variants of Ransomware appear, and since there are no costs once they pay the initial fee, we will keep see a rise in Ransomware during this year.

Please if you want to get more details feel free to access Malwarebytes page, TrendMicro, and Trustwave.

About the Author Elsio Pinto

Elsio Pinto (@high54security) is at the moment the Lead McAfee Security Engineer at Swiss Re, but he also as knowledge in the areas of malware research, forensics, ethical hacking. He had previous experiences in major institutions being the European Parliament one of them. He is a security enthusiast and tries his best to pass his knowledge. He also owns his own blog McAfee Security Engineer at Swiss Re, but he also as knowledge in the areas of malware research, forensics, ethical hacking. He had previous experiences in major institutions being the European Parliament one of them. He is a security enthusiast and tries his best to pass his knowledge. He also owns his own blog McAfee Security Engineer at Swiss Re, but he also as knowledge in the areas of malware research, forensics, ethical hacking. He had previous experiences in major institutions being the European Parliament one of them. He is a security enthusiast and tries his best to pass his knowledge. He also owns his own blog http://high54security.blogspot.com/

Edited by Pierluigi Paganini

(Security Affairs – ransomware, Malvertising)