New York Times, BBC and Newsweek dish up malvertising

An array of global entertainment, news and commentary sites have been hit with perhaps the largest malvertising campaign yet.

Even the giants of international journalism are not safe from malvertising
Even the giants of international journalism are not safe from malvertising

The great and good of global journalism have been hit with a malvertising campaign. The BBC, The New York Times,  and Newsweek have all been giving readers advertisements that serve up ransomware. 

Ransomware is a form of malicious software which encrypts files and then attempts to blackmail victims into paying money - usually in the form of untraceable payments - to decrypt the data. 

The campaign was discovered on Sunday when US visitors to a plethora of popular entertainment, news and commentary websites found themselves infected with ransomware.

Companies like Malwarebytes and Trend Micro largely sat on the information in the early parts of this week, while they contacted the larger ad networks that were serving the ransomware. It was only today that a fuller picture was disclosed publicly.

Malvertising involves an attacker placing malicious code within an advertising package. The ad packages are then uploaded to websites either directly or through an ad serving network where the attacker hopes it will be clicked on by a user of the site. Once clicked, the link takes the user's browser to a malware server, possibly via several hops across other domains, where the malware is downloaded to the victim's computer. 

This is far from the first time that the world has witnessed large malvertising campaigns. While it was often found on porn websites, malvertising has blossomed across more and more sites, driven by the success of ransomware campaigns and easy access to advertising networks. 

Last year, in notable attacks, the Independent and the Daily Mail in the UK were hit by malvertising campaigns.

Ben Harknett, VP EMEA for RiskIQ, told SCMagazineUK.com, “Malvertising jumped up over 300 percent year on year between 2014 and 2015 following a string of major publishing sites such as Forbes.com, Huffington Post and The Daily Mail being exploited by malvertising campaigns. We also found that the most common lure used in malvertisements in 2015 to date has been fake Flash updates, the same software which was exploited across the Yahoo ad network."

The malware was delivered through several different ad networks and used several different vulnerabilities. Potentially tens of thousands of people were infected with ransomware by this campaign and may find themselves the victim of the Angler Exploit Kit (EK). Easily available, usable and as prolific as the common cold, the Angler EK has become the weapon of choice for many hackers, amateur and veteran alike.

Recently the EK was updated to include new vulnerabilities, notably a Microsoft Silverlight flaw. This new campaign may well bear witness to the EK's expanded capabilities.

It wasn't just the giants of media that were affected but also some of the biggest ad networks in the world. Often, malvertising will go after lesser ad networks with perhaps worse oversight over the actual content of the ads those networks host. This time, the compromised networks were the likes of Google's DoubleClick, AOL and AppNexus. 

There is, perhaps a reason for this. Ad networks are, by nature, diffuse, often working on real-time bidding systems to choose which ads to host. From here, it's not too hard to see how bad actors can slip through the cracks.

David Kennerley, senior manager for threat research at Webroot, told SC, “Unfortunately, simply keeping to trusted websites no longer means you'll stay safe. The outsourced, distributed and chaotic nature of the online advertising industry means that even the world's most popular websites have no visibility on the ad content displayed on their pages or its original source.”

Still, the list goes on. The victims of the attack also included AOL, the NFL, thehill.com, MSN.com and many others.  Many of the offending ads have been removed, although some were still active on Monday. It is not currently possible to say whether all of them have been taken down.