Malvertisers hit Forbes with exploit kit attack
Neutrino and Angler exploit kits were pushed onto victims through third-party advertisements placed on Forbes.com.
Forbes: Hacked again - this time by malvertisers
A malvertising campaign was running on online publication Forbes.com earlier this month, serving up malware via ads on the site to visitors, according to security researchers.
It follows an attack on the same site in February which researchers attributed to the Chinese “Codoso” APT group.
In a blog post, FireEye outlined the latest attack which led to visitors' computers infected with malware. The ads were said to be running from 8 to 15 September.
"The Forbes.com website was serving content from a third-party advertising service that had been manipulated to redirect viewers to the Neutrino and Angler exploit kits. We notified Forbes, who worked quickly to correct the issue," said FireEye.
The exploit kits themselves exploit Flash, Java, Silverlight and various browser vulnerabilities. They also are quick to incorporate zero-day vulnerabilities. The attacks were only triggered on a handful of web pages on Forbes, not the whole website.
"This type of malicious redirection is known as malvertising, where ad networks and content publishers are abused and leveraged to serve ads that redirect users to malicious sites,” the firm added.
"Malvertising continues to be an attack vector of choice for criminals making use of exploit kits... When these ads are served by mainstream websites, the potential for mass infection increases significantly, leaving users and enterprises at risk."
The researchers added that by abusing ad platforms, and in particular ad platforms that enable Real Time Bidding, "attackers can selectively target where the malicious content gets displayed".
"When these ads are served by mainstream websites, the potential for mass infection increases significantly, leaving users and enterprises at risk."
In a statement on its website, Forbes said that "the malicious creatives identified were isolated to a single advertiser and immediately suspended”.
The statement said: "Forbes has strict practices in place to protect against these kinds of incursions and will make any necessary changes to be sure such incidents do not occur again."
According to a blog post by Malwarebytes, Realtor.com suffered a similar attack on its website from malware-laden ads. The hackers used the Angler exploit kit to target computers with ransomware or malware designed to carry out ad fraud.
“Rogue advertisers are putting a lot of efforts into making ad banners that look legitimate and actually promote real products or services,” said Jerome Segura, a researcher at Malwarebytes. “We should also note that the use of SSL to encrypt web traffic is getting more and more common in the fraudulent ad business and that only makes tracking bad actors more difficult.”
Kevin Epstein, vice president of threat operations at Proofpoint said that these attacks echo one his firm described in 2014 that was deployed though Yahoo and 25 other major brand sites. “Clearly the need for Malvertising protection – on the ad-hosting sites and at Enterprises whose employees browse such sites – remains strong,” he said.
“Malvertising can enter the ad chain at many points, and is virtually impossible to detect at scale using manual inspection. Fortunately, the same 'big data' tactics used by specialized targeted attack protection products to detect malware delivered through other vectors such as email or social media can be employed to protect against Malvertising,” he added.