Malware Campaign Leverages Ad Networks, Sends Victims to Blackhole

A component of a large malware campaign includes compromised ads redirecting visitors to large sites such as the Los Angeles Times to websites hosting the Blackhole Exploit Kit.

Online ad networks have proven efficient tools in spreading malware to a large number of sites simultaneously. Attackers who manage to spike an ad distribution service can potentially have millions of eyeballs on a malicious ad for a fraction of the cost it would take to buy or build spam lists, for example.

Researchers at Blue Coat recently discovered a large malware campaign, a component of which included malicious ads redirecting users to sites hosting the Blackhole exploit kit.

Sites such as the Los Angeles Times website, Salon, The Fiscal Times, Women’s Health magazine and US News among many others were hosting ads serving malware as recently as Aug. 23 , researcher Chris Larsen said. In addition to the news sites, a number of popular online survey and quiz sites were also hosting malicious ads as part of this campaign.

One of the domains discovered in this attack was adhidclick[.]com, a site registered in December that slept silently until Aug. 22 when it began redirecting traffic to a family of Blackhole sites at the searcherstypediscksruns[.]com/[.]net/[.]org domain.

“All of the sites it relayed traffic to were evil,” Larsen wrote in a blogpost this week. “Each of these was registered (anonymously) last year, lay dormant for at least eight months (almost a year, actually, in one case!), popped into life for a couple of days in August, relayed its share of the traffic, and then retired. It’s an impressively large (and patient!) malvertising operation.”

The primary traffic sources to this intermediate layer of sites were a number of other media and lead-generation type sites being fed by ads placed on the LA Times, Womens Health, etc. Some of the ad providers identified by Blue Coat include DoubleClick, Adnxs and others.

One site, dlelead[.]com received almost 6,000 hits in less than a week and another gerlead[.]com got more than 12,000 in less than two weeks from this campaign, Blue Coat said.

“The individual ‘funnel’ sites do go dark after a couple of days, but the overall traffic is still cranking along,” Larsen said. “As of this afternoon, we are still seeing traffic from the various latimes subdomains to dlelead[.]com. Salon[.]com is also showing up as a referrer to another of the malvertising sites, ingidigital[.]com, so they’re definitely still running the ads as well.

About 25 media and lead-generation sites were benefitting from this campaign, the researcher said, and all of these sites followed similar patterns of being registered for months before any activity began.

“The long hibernation time for these sites is very interesting,” Larsen wrote. “A second point of interest is how segmented this attack is — the Bad Guys managed to get each of these fake ad domains into a position of trust with a different target market, so that even if one were to be discovered, the overall attack could continue.”

Attackers paid by the click or ad impression can cash in on some quick money with one of these schemes, and they’re likely to only get worse. Research revealed a month ago at the Black Hat USA conference in Las Vegas how attackers could also leverage an ad network to distribute malicious javascript. White Hat Security’s Jeremiah Grossman and Matt Johansen demonstrated how an attacker could spend short money to buy an ad on a popular distribution network to create the equivalent of a botnet of browsers to distribute their code, all on the back of the ad network. Some ad networks fail to adequately vet javascript for security; the two researchers noted they could target their ads via keywords and location in some instances. Once the code is distributed on the ad network, an attacker would have control over it as long as a browser session was open.

Shortly thereafter, researchers at Palo Alto Networks uncovered a new malware strain that is being installed with legitimate Android apps and then connecting back to mobile ad networks in the background as part of a scheme to wring money from its victims. The app waits for the user to install another app and a dialog box will appear asking for permission to install more code, which turns out is malicious and gains control of the device’s SMS app and starts sending out premium text messages to a service controlled by the attacker.

This article was updated Sept. 9 with clarifications throughout and a comment from Blue Coat.

Suggested articles