Malvertisers hit Forbes with exploit kit attack

News by Rene Millman

Neutrino and Angler exploit kits were pushed onto victims through third-party advertisements placed on

A malvertising campaign was running on online publication earlier this month, serving up malware via ads on the site to visitors, according to security researchers.

It follows an attack on the same site in February which researchers attributed to the Chinese “Codoso” APT group.

In a blog post, FireEye outlined the latest attack which led to visitors' computers infected with malware. The ads were said to be running from 8 to 15 September.

"The website was serving content from a third-party advertising service that had been manipulated to redirect viewers to the Neutrino and Angler exploit kits. We notified Forbes, who worked quickly to correct the issue," said FireEye.

The exploit kits themselves exploit Flash, Java, Silverlight and various browser vulnerabilities. They also are quick to incorporate zero-day vulnerabilities. The attacks were only triggered on a handful of web pages on Forbes, not the whole website.

"This type of malicious redirection is known as malvertising, where ad networks and content publishers are abused and leveraged to serve ads that redirect users to malicious sites,” the firm added.

"Malvertising continues to be an attack vector of choice for criminals making use of exploit kits... When these ads are served by mainstream websites, the potential for mass infection increases significantly, leaving users and enterprises at risk."

The researchers added that by abusing ad platforms, and in particular ad platforms that enable Real Time Bidding, "attackers can selectively target where the malicious content gets displayed".

"When these ads are served by mainstream websites, the potential for mass infection increases significantly, leaving users and enterprises at risk."

In a statement on its website, Forbes said that "the malicious creatives identified were isolated to a single advertiser and immediately suspended”.

The statement said: "Forbes has strict practices in place to protect against these kinds of incursions and will make any necessary changes to be sure such incidents do not occur again."

According to a blog post by Malwarebytes, suffered a similar attack on its website from malware-laden ads. The hackers used the Angler exploit kit to target computers with ransomware or malware designed to carry out ad fraud.

“Rogue advertisers are putting a lot of efforts into making ad banners that look legitimate and actually promote real products or services,” said Jerome Segura, a researcher at Malwarebytes. “We should also note that the use of SSL to encrypt web traffic is getting more and more common in the fraudulent ad business and that only makes tracking bad actors more difficult.”

Kevin Epstein, vice president of threat operations at Proofpoint said that these attacks echo one his firm described in 2014 that was deployed though Yahoo and 25 other major brand sites. “Clearly the need for Malvertising protection – on the ad-hosting sites and at Enterprises whose employees browse such sites – remains strong,” he said.

“Malvertising can enter the ad chain at many points, and is virtually impossible to detect at scale using manual inspection. Fortunately, the same 'big data' tactics used by specialized targeted attack protection products to detect malware delivered through other vectors such as email or social media can be employed to protect against Malvertising,” he added. 

Adrian Crawley, regional director for Northern Europe at Radware, told that news sites are a target simply because they are the quickest way to get a message to the masses.

“Hackers are switched on to the fact that they can exploit the credibility of the media brand and do very little more than wait for people to take the bait. During the FIFA World Cup 2014, broadcasters and news sites were most at risk of attack after government organisations. In this case it was about disrupting an event that was in the global spotlight,” he said.

Eric Rand, security consultant at AlienVault, told SC that criminals often bypass the checks that ad networks have put in place by compromising the accounts of 'trusted' ad buyers.

“Businesses buying ad space are no better or worse at securing their credentials than any other user; they can lose control of their ad accounts just as often as anyone else loses control of a Facebook account or an email inbox,” he said.

Fraser Kyne, principal systems engineer at Bromium, said that the way the whole economy and the web is built on this advertising infrastructure is really quite horrible from a security point of view.  “It is enabling third parties that have no relationship with the website provider to be able to inject adverts and quite complex code,” he said.

These ads rely on Flash and “really rely on the very fragile security of the Flash, the Flash engine and the browser and these other technologies,” he said. “With this level and amount of code, and the complexity, it is very challenging to make secure. In fact, basically impossible.”

Tom Williams, lead investigative consultant at Context Information Security told SC that many people do not realise that many of the advertisements that appear on popular websites are handled by third-party advertising networks. “These adverts rotate content quickly and the main site has little control over what advertisements appear via these third-party advertising networks,” he said.

“Cyber-criminals are increasingly aware that compromising these advertising networks directly or purchasing advertising space from them and then using this to distribute adverts with malicious content, is an extremely effective way of compromising a large number of users very quickly,” said Williams.

He added: “Further, utilising this technique means that in the same way that advertisers can target specific consumer groups, cyber-criminals can target victims.  This technique is becoming increasingly effective as some of the major exploit kits used in the attacks, like Angler, are beginning to incorporate more zero-day exploits, which traditional AV is unlikely to detect.”

Steve Ward, senior director at iSIGHT Partners, told SC that placing malicious ads on high-profile websites can potentially drive high volumes of traffic to exploit kits.

“However, the ads associated with this particular campaign were reportedly not shown on recent articles, most likely limiting its success. Due to its high-profile nature and clientele, is a desirable target for malicious actors. Most notably, was found to be compromised and serving a Flash exploit for malicious activity tied to Chinese cyber espionage operators in late 2014,” he said.

Find this article useful?

Get more great articles like this in your inbox every lunchtime

Video and interviews