Malvertising attack could hit 50 m users

News by Max Cooter

A 'malvertising' attack that could affect as many as 50 million users, according to one security researcher, has hit some popular websites including Facebook's Bejewelled Blitz.

“One of the main features about this attack was its large surface area,” said Carl Leonard, principal security analyst at Raytheon|Websense. “This is quite a well thought-out attack. The author has done his reconnaissance to find how best to infect these users; he has delivered the exploit to a variety of regions, picking particularly popular sites.”

Leonard said that the attack had targeted the advertising platform OpenX.  He said that the code instigated a redirect that led to the Angler Exploit Kit; this in turn exploited a FlashPlayer vulnerability. He said that one of the key elements in the attack was that it hit code that was no longer supported. “That's one lesson we can learn from this: be wary of code that's no longer supported. It's something we've seen with the end of life for Windows XP,” he added.

It's important to realise that the danger is still present, said Leonard.  “The attack used a particular exploit within two weeks of that exploit going live. That's a very short timeframe that the IT teams have to work with. He added that a particular feature of the attack was the way that the author didn't use the exploit every time. “He used it intermittently rather than every time, it means that not all users are guaranteed to see it.”

The attack on advertising platforms is a reminder that legitimate sites can be malicious, said Mike Smart, marketing director at Proofpoint.  “Users can minimise the chance of being compromised by ensuring their endpoint security software is up to date and has real-time access to threat intelligence.”

Smart said that businesses shouldn't relax their defences and need to take additional measures. “This attack re-emphasises the need for additional enterprise defences, beyond endpoint detection that can provide quicker detection and visibility post-infection – such as targeted attack protection to disrupt the delivery vector, and automated threat response to block communications ports to malicious command and control hosts.'

Lancope's CTO, TK Keanini, said, “These methods are popular for cyber-crime because they require minimal effort, which means lowering their operational costs.  We, in turn, need to ensure that we are doing everything thing to raise their operating costs.   Until we treat this as a business problem, cyber-crime will continue to operate at a low cost and high profit. We need to do everything to stop their operations along the kill chain. "

Find this article useful?

Get more great articles like this in your inbox every lunchtime

Video and interviews