Researchers at Malwarebytes Labs have discovered another malvertising campaign, likely from the same group responsible for the recent attack on The Huffington Post and Zillow. An ad was used to deliver the Cryptowall ransomware via an ad built in Flash.
This new malicious campaign involves Google's DoubleClick ad network.
Jerome Segura, senior security researcher at Malwarebytes, said the latest malvertising attack was carried through merchenta, a company that provides a platform for ad exchange and direct integrations with top publishers, according to Malwarebytes. Merchenta boasts 28 billion monthly impressions in the U.S., 14 billion in the U.K., 18 billion in EMEA, and 9 billion in Asia. The company works with top-tier ad networks, such as Google DoubleClick, and real-time bidding platform Biddable.
advertisement
advertisement
DoubleClick is not directly responsible for loading the malicious ad, but it starts the chain with publishers, which unfortunately have little control over transactions that follow.
The criminals posed as an advertiser, infiltrating the platform via a third party and managed to house a malicious advertisement directly on merchenta's ad platform that fed into Google's DoubleClick channels, according to Malwarebytes. Within minutes, the malicious ad had infected 95% of the ads running on the network in United States, the United Kingdom and Europe, exposing a huge number of people worldwide.
The Flash ad hosts the malware. Using the ad will redirect to another page. In this case, individuals do not need to click on the ad before infecting a computer. That's a big misconception. As the ad server loads the Web page on the individual's screen, the malware downloads the malicious software onto the computer.
"We call it a drive-by download," said Segura. "You surf the Web, the ad loads on the screen, the computer gets infected. It happens within seconds."
The latest example is another reminder of one of the weaknesses with online advertising. The biggest weakness involves ad networks relying on third-party "trustworthy" data. Vulnerabilities in Flash technology present another problem, Segura said. The majority of ads use Flash, although some companies have begun building ads using HTML5. If the ad network can host the ad it becomes less of a problem, he said.
Malwarebytes worked with ClarityAd to confirm the malicious attack that began last weekend, which showed a well-known ad network with direct ties to Google's DoubleClick being caught in a large malvertising incident. Several well-known sites were affected, such as Hermes Paris.
UPDATE: Neil McClements, merchenta CEO, disagrees. In an email he insists the company has "zero tolerance for malware" and is working hard to prevent this type of disruption.
The paradigm of hand-coding Flash files and uploading to an ad server is antiquated, and this problem will only grow as programmatic buying grows. Ads should be machine-built both to reduce QA time and the risk of malware infection. Put simply, Flash just wasn't architected for a programmatic world.
In a support environment, you can tell the client not to click on the fake Flash update, but with these drive-by downloads, you better hope that your anti-virus software is up to the task. Thanks for the heads-up MediaPost.
ditto
Hopefully this will spur back-end publishers to get HTML5 compliant. Many aren't, and haven't been impressive in moving to the new standard. HTML5 has been on the menu for forward-thinking companies for years and years now.
Malware risks like this is one of the leading reasons for ad blocking plugins and hurts the entire ecosystem everytime an incident like this happens.
Although the blame starts with the malware authors, ad networks need to step up their efforts with security and start vetting their buyer partners much more closely.
It seems that a dead-end has been reached. One article mentions the backlash against ad-blockers, while another article addresses the problems with malvertising. Is there a way out for the average user?
I agree with the comments.
In the end, the main issue for this type of fraud is the feature to allow advertisers to use an insecure ad format, which is Flash. Put an end of life on Flash ads within the networks and this type of fraud goes away. Pretty simple solution for a complex problem. Fraud will find another way, but atleast we solve this issue now.
In addition, the average user needs to make sure they keep their machines, Antivirus and antimalware software updated everyday...as this should go without saying.