Malicious major website ads lead to ransomware
Cisco said the attacks can be traced to advertisements on Disney, Facebook and The Guardian newspaper
IDG News Service - Malicious advertisements on domains belonging to Disney, Facebook, The Guardian newspaper and others are leading people to malware that encrypts a computer's files until a ransom is paid, Cisco Systems has found.
The finding comes shortly after technology companies and U.S. law enforcement banded together in a large operation to shut down a botnet that distributed online banking malware and so-called "ransomware," a highly profitable scam that has surged over the last year.
Cisco's investigation unraveled a technically complex and highly effective way for infecting large number of computers with ransomware, which it described in detail on its blog.
"It really is insidious," said Levi Gundert, a former Secret Service agent and now a technical lead for threat research and analysis at Cisco, in a phone interview Friday.
Cisco has a product called Cloud Web Security (CWS) which monitors its customers web surfing and reports if they are browsing to suspected malicious domains. CWS monitors billions of web page requests a day, Gundert said.
The company noticed that it was blocking requests to 90 domains, many of those WordPress sites, for more than 17 percent of its CWS customers, he said.
Further investigation showed that many of the CWS users were ending up on those domains after viewing advertisements on high-traffic domains such as "apps.facebook.com," "awkwardfamilyphotos.com," "theguardian.co.uk" and "go.com," a Disney property, among many others.
Certain advertisements that appeared on those domains, however, had been tampered with. If clicked, they redirected victims to one of the 90 domains.
The style of attack, known as "malvertising," has long been a problem. Advertising networks have taken steps to try and detect malicious advertisements placed on their network, but the security checks aren't foolproof.
Occasionally, bad advertisements slip in, which are shown on a vast array of websites that have signed up with the network or its affiliates. The websites where the ads appear are often unaware they're being abused.
"It goes to show that malvertising is a real problem," Gundert said. "People expect when they go to a Tier 1 website that it is a trustworthy place to visit, but because there are so many third-party external links, that's not really true."
The 90 domains the malicious advertisements pushed traffic to had also been hacked, Gundert said. In the case of the WordPress sites, it appears the attackers used brute-force attacks -- which involves guessing login credentials -- to access the site's control panels. Then, an exploit kit called Rig was inserted, which attacked the victim's computer, Gundert said.
The Rig exploit kit, first spotted in April by Kahu Security, checks if users are running an unpatched version of Flash, Java or the Silverlight multimedia program. If someone's computer isn't patched, "you're instantly exploited," Gundert said.
- Deep Security +VMware vSphere with Operations Management Most midsize organizations are highly virtualized on VMware, and while this has produced significant savings, it also has created new challenges when it...
- 3 Questions to Ask Your DNS Host about Lowering DDoS Risks Neustar has had wide-ranging conversations with clients wanting to know how they can optimize protection as DDoS attacks increase in frequency and size.
- The Danger Deepens: 2014 Neustar Annual DDoS Attacks and Impact Report This report compares DDoS findings from 2013 to 2012, based on a survey of 440 North American companies, including 139 businesses delivering technology...
- DDoS Infographic: How Are Attacks Evolving? For the third consecutive year, Neustar surveyed businesses across major industries to track the evolution of DDoS attacks. Are they more frequent? Larger?...
- How to Use Crowd-Sourced Threat Intelligence to Stop Malware in its Tracks Threat sharing networks have been around for a long time, however they have typically been "invitation-only", available to only large companies, or those...
- An Incident Response Playbook: From Monitoring to Operations As cyber-attacks grow more sophisticated, many organizations are investing more into incident detection and response capabilities. In this webcast, learn how to develop... All Malware and Vulnerabilities White Papers | Webcasts