Malvertising (a portmanteau of malicious and advertising) is a form of distributing ‘injected' malware into legitimate online advertising.
A malvertisement appearing to show a Lamborghini Gallardo for sale, actually contained a link to redirect users (via Google's own URL shortener) to a separate website where a Nuclear exploit kit payload was lying in wait - the payload in this case was a banking Trojan.
The hack itself was reported by Malwarebytes researcher Jerome Segura. He reports that this malvertising is similar to an attack on the PlentyOfFish* dating website.
Cases of malvertising typically see whole web advertising chains/networks being infected. The attack here therefore was not on Telstra as such, but on the network serving the advertisements it was displaying.
The Nuclear exploit kit which this hack pointed to is an off-the-shelf piece of hacking software with tools to exploit vulnerabilities in the runtime environments of browsers and the core backbone software that runs on the web.
While culpability is not directly pointed at Telstra for this attack, users clearly establish a certain level of trust with media providers who operate at a national and/or international level of this type.
With incidents like this becoming more prevalent, the question of host site liability for dynamic content presented in advertisements does come into question.
According to Jas Singh, CTO at health and community management company, Medelinked, “Publishers need to makes sure they implement controls and threat detection policies to defend their environment and mitigate such attacks. Typically, this starts with URL filtering and web reputation filtering as some of the first checks that can be implemented.”
Singh said that if user-requested web content gets past the URL and reputation filtering then real-time malware detection should also be put in place.
Gavin Reid, VP of threat intelligence at Lancope spoke to SCMagazineUK.com today to say that in the ‘underground economy' PC's are monetised in various ways; stealing of accounts, click-through fraud, phishing, DDoS, pirated software sites, fake anti-virus and ransomware and so on.
“Many, if not all, of the top 100 websites have fallen victim to compromised sponsored advertising (or malvertising). If you can get an advert with a malware redirect posted to a major website – there is no need to compromise the site,” he said.
Reid explained that miscreants use a hacked account, or a stolen credit-card to pay for the malware-laden ads and the fact that they lead back to the ad provider all provide a great cover.
“The adverts themselves can be targeted to the exact audience you want and security defenders can't blacklist the site or the advert-provider. This is where quick and very specific URL blocking can help, however as with AV signatures this is a race with both time and numbers being in favour of the miscreants,” he added.
Senior malware analyst at Avast Jaromir Horejsi spoke to SCMagazineUK.com to clarify just where users stand in relation to the secure web today.
“HTTPS cannot help avoid malvertising, in fact malvertising can be (and sometimes is) spread by infected online advertising services over HTTPS. To protect themselves from malvertising, people should keep their software, such as browsers and plugins up-to-date, adjust browser settings to detect and flag malvertising. They should also have antivirus software installed to detect and block malicious payloads that can be spread by malvertising.”
Principal consultant at Damballa Simon Edwards closed the commentary on this story by saying that this use of re-directions (in this case from advertisements) to inject malware is a common attack vector seen by his team.
“It is a natural progression to see these attacks start to use advertisements (as opposed to infected URL links off a web site) what is scary in this case is the impact to reputation that it will have to the web site showing the advert in the first place (Telstra). Organisations rely on advertising revenues but they must do better at establishing whose adverts they are showing,” said Edwards.
Telstra's ‘media content' home page has now disabled the link to the malvertising attack.
*A banking Trojan called Tinba, which is effectively a key-logger set up harvest credit card details when victims use shopping websites, was being installed on visitors to the dating website Plentymorefish, which claims to have more than 100 million members internationally. In an email to SC, Mark James, security specialist at IT Security Firm ESET noted that this infection was also delivered via malvertising and advised those affected to “Run Anti-Virus or security scans of your devices to check for any malware currently active on them. You could install and use an ad-blocking program to stop the adverts from being displayed (noting that this would also hit legitimate free websites dependent upon adverts). Ensure your operating systems and applications are all updated and patched and make sure you check your financial accounts regularly. Look out for any transactions you're not sure of, however small they may seem and if possible change any financial banking login passwords immediately. Changing a password takes minutes, having to deal with recovering money from a hacked account can take months to get it all resolved and sorted, it's a no brainer!”