Taking advantage of the fact that a lot of security companies are more relaxed over the weekend, cybercriminals use the opportunity to strike.
This weekend, the popular auto trading site Autotrader.co.uk and the cinema site Myvue.com both served ads that redirected the browsing user to malicious Web sites laden with exploits – a phenomenon also known as malvertising.
The Web sites themselves weren’t compromised but were serving ads from an ad provider called Unanimis that led browsing users seamlessly – in the background and without their knowledge – to exploit sites.
Unanimis serves ads to thousands of Websites and we’ve received reports that ebay.co.uk and londonstockexchange.com were also affected by this malvertising campaign. One of the advantages that cybercriminals enjoy with malvertising campaigns is that they can be easily spread across a large number of legitimate Websites without directly compromising those Websites, but indirectly through the use of a malicious ad.
The malicious ads were not served from the sites’ main pages – in order for the exploit to work, specific ads would have to be loaded by the sites. For example at Autotrader.co.uk, a redirect to an exploit site through an ad would occur if the browsing user clicked on the button to search for a car, and at Myvue.com the same would happen if the browsing user clicked on the button to order movie tickets. It’s at those points that more specific adverts are sent to the user’s browser.
Let’s take a look at an example from Autotrader.co.uk. Here is an image that captures what happens in the background when a user searches for a car with any desired criteria:
The first step is the URL that the user is browsing to when searching for a car according to his/her desired criteria: you can see that as part of the URL it has the postcode (blurred), the price range etc. In the background Autotrader.co.uk loads some advertisements from some ad providers. At step 2 it loads the advertisement from a legitimate ad provider called Unanimis.
The advertiser redirects to the advertisement in step 3. Step 3 redirects further to step 4, but no advertisement is shown. Step 4 is a site loaded with an exploit kit and several exploits are sent to the user’s browser.
The exploit site is heavily obfuscated and serves several exploits that target Internet Explorer, Adobe Acrobat Reader, and Java. We observed that the exploit kit used is very similar to an exploit kit called “Blackhole”.
The dropped file installs a rogue antivirus on the user’s computer – the software tells users that their computer is infected and offers a “cleaning antivirus” for $59.95. In the meantime the software disrupts the use and ordinary functionality of the computer by hogging CPU power, displaying disturbing pop-ups and more. The dropped file has low detection rate.
We have been following the exploit domains in this malvertising campaign for quite a long time now, and it seems that cybercriminals use fee-based advertising networks to propagate malware – that means cyber criminals are willing to pay in order to propagate malware.
The rogue antivirus that is installed:
Author: Elad Sharf, Websense Security Labs.