Online ad networks have proven efficient tools in spreading malware to a large number of sites simultaneously. Attackers who manage to spike an ad distribution service can potentially have millions of eyeballs on a malicious ad for a fraction of the cost it would take to buy or build spam lists, for example.

Researchers at Blue Coat recently discovered a large malware campaign, a component of which included malicious ads redirecting users to sites hosting the Blackhole exploit kit.

Sites such as the Los Angeles Times website, Salon, The Fiscal Times, Women’s Health magazine and US News among many others were hosting ads serving malware as recently as Aug. 23 , researcher Chris Larsen said. In addition to the news sites, a number of popular online survey and quiz sites were also hosting malicious ads as part of this campaign.

One of the domains discovered in this attack was adhidclick[.]com, a site registered in December that slept silently until Aug. 22 when it began redirecting traffic to a family of Blackhole sites at the searcherstypediscksruns[.]com/[.]net/[.]org domain.

“All of the sites it relayed traffic to were evil,” Larsen wrote in a blogpost this week. “Each of these was registered (anonymously) last year, lay dormant for at least eight months (almost a year, actually, in one case!), popped into life for a couple of days in August, relayed its share of the traffic, and then retired. It’s an impressively large (and patient!) malvertising operation.”

The primary traffic sources to this intermediate layer of sites were a number of other media and lead-generation type sites being fed by ads placed on the LA Times, Womens Health, etc. Some of the ad providers identified by Blue Coat include DoubleClick, Adnxs and others.

One site, dlelead[.]com received almost 6,000 hits in less than a week and another gerlead[.]com got more than 12,000 in less than two weeks from this campaign, Blue Coat said.

“The individual ‘funnel’ sites do go dark after a couple of days, but the overall traffic is still cranking along,” Larsen said. “As of this afternoon, we are still seeing traffic from the various latimes subdomains to dlelead[.]com. Salon[.]com is also showing up as a referrer to another of the malvertising sites, ingidigital[.]com, so they’re definitely still running the ads as well.

About 25 media and lead-generation sites were benefitting from this campaign, the researcher said, and all of these sites followed similar patterns of being registered for months before any activity began.

“The long hibernation time for these sites is very interesting,” Larsen wrote. “A second point of interest is how segmented this attack is — the Bad Guys managed to get each of these fake ad domains into a position of trust with a different target market, so that even if one were to be discovered, the overall attack could continue.”

Attackers paid by the click or ad impression can cash in on some quick money with one of these schemes, and they’re likely to only get worse. Research revealed a month ago at the Black Hat USA conference in Las Vegas how attackers could also leverage an ad network to distribute malicious javascript. White Hat Security’s Jeremiah Grossman and Matt Johansen demonstrated how an attacker could spend short money to buy an ad on a popular distribution network to create the equivalent of a botnet of browsers to distribute their code, all on the back of the ad network. Some ad networks fail to adequately vet javascript for security; the two researchers noted they could target their ads via keywords and location in some instances. Once the code is distributed on the ad network, an attacker would have control over it as long as a browser session was open.

Shortly thereafter, researchers at Palo Alto Networks uncovered a new malware strain that is being installed with legitimate Android apps and then connecting back to mobile ad networks in the background as part of a scheme to wring money from its victims. The app waits for the user to install another app and a dialog box will appear asking for permission to install more code, which turns out is malicious and gains control of the device’s SMS app and starts sending out premium text messages to a service controlled by the attacker.

This article was updated Sept. 9 with clarifications throughout and a comment from Blue Coat.

Categories: Malware

Comments (2)

  1. Susanne Shaw
    1

    Why do some people want to hack and wreck other people’s e-lives? What is their motivation? Just pure malice? Or is it the US gov’t spying on everyone but their top richest guys who do the most harm world-wide? I wouldn’t put it past them.

    • Deramin
      2

      Like most crime, the motivation is money. In ‘Myths of Security’ John Vega gives an excellent explanation of how this works (especially Ch. 4 & Ch. 7). It’s a great book in general for learning why these things happen.

      Basically, you can steal financial account information to harvest money from victims, steal corporate credentials to get into company networks and steal their secrets, wait for people to use merchants like Amazon and intercept the transaction so you’re paid a referral fee for it, send spam (and charge businesses for the ‘ads’), deliver ads to users they wouldn’t have got otherwise, fraudulently generate “clicks” for ads so you get the referral fee, or use up a competing companies ad budget by generating fraudulent clicks on their ads that potential customers never see, force the victim to call premium numbers you own so they’re forced to pay fees, create a bot net where other people can pay you to crash websites for them or otherwise attack others, or hold data ransom so the victim feels forced to pay. It basically boils down to a certain percentage of the human population being desperate for money and/or jerks. Which is why organized crime has always existed and always will.

Comments are closed.