Two major online ad networks–DoubleClick and MSN–were serving malware via drive-by download exploits over the last week, experts say, after a group of attackers was able to trick the networks into displaying their ads by impersonating an online advertising provider.
The scheme involved a group of attackers who registered a domain that was one letter away from that of ADShuffle.com, an online advertising technology firm. The attackers then used the fake domain–ADShufffle.com–to dupe the advertising networks into serving their malicious banner ads. The ads used various exploits to install malware on victims’ PCs through drive-by downloads, according to information compiled by security vendor Armorize.
The ad networks only served the malicious content for a short period of time, but the episode shows just how difficult the drive-by download problem can be to address.
“Users visit websites that incorporate banner ads from DoubleClick or
(notice the three f’s), starts a drive-by download process and if
successful, HDD Plus and other malware are installed into the victim’s
machine, without having the need to trick the victim into doing anything
or clicking on anything. Simply visiting the page infects the visitors,” Armorize CTO Wayne Huang said in a blog post describing the scheme.
“Known sites affected: Sites that incorporate DoubleClick or rad.msn.com banners, including for example Scout.com (using DoubleClick), realestate.msn.com, msnbc.com (using both), and mail.live.com. We’d like to note here it’s very possible that multiple exchanges, besides those listed here, have been serving the fake ADShufffle’s ads.”
In some instances, the attackers used the notorious Eleonore exploit pack and the Neosploit package to accomplish the drive-by downloads. The attacks exploited a wide variety of vulnerabilities in browsers and Adobe Reader.
It’s a classic drive-by download scenario, but in this case it’s made all the more troublesome by the broad reach of the legitimate ad networks that were victimized by the attack. Armorize researchers contacted officials at DoubleClick after discovering the scheme.
“We reached out to DoubleClick and in less than a few hours time they arranged a meeting with a group of their experts on anti-malvertising and incidence response. We were very surprised and impressed with the speed that DoubleClick acted. We provided details, and DoubleClick said they were already on top of the issue,” Huang said.
A spokesman for Google, which owns DoubleClick, told the IDG News Service that the malicious ads were only being served for a short amount of time, and that the company’s own malware filters detected the ads, as well.