The World Cup 2014 championship has begun and like most major sports events, employees are browsing websites to check the latest scores, watch streaming live games and chat with their peers about the latest updates. Sports-related websites receive a lot of traffic during large events like these creating a prime opportunity for advertisers to post campaign banners and watch the cash roll in.
However, advertisers are not the only ones cashing in. Unbeknownst to fans, criminals planted malware in an advertisement on the popular sports-focused Brazilian website, lancenet.com.br. If fans use a vulnerable version of Adobe Flash, by simply visiting the site, the ad could plant malware on their machines giving criminals full access to their valuable information. And, this attack goes beyond Brazil. While the World Cup games are going to take place in Brazil, the websites affected by malvertisement campaigns can be in any region. Given the global attention surrounding this event, these kinds of malvertisement campaigns can be very successful anywhere.
Our researchers discovered this latest malvertisement campaign when we saw it being blocked by our Trustwave Secure Web Gateway. The antimalware technology is designed to detect and filter out malware in real-time to help protect users from blended threats, data loss and zero-day vulnerabilities and help them use the Web and cloud applications securely.
In light of the upcoming World Cup 2014, many fans may visit lancenet.com.br which is why we want to get the word out. We have contacted the site owner who said the issue has been resolved however, this discovery is a good reminder to World Cup fans and all internet users that best security practices must be at the forefront of their minds when browsing the Web and checking emails.
Malvertisement attacks can be highly deceptive. They can be launched and used on websites that are legitimate and there’s usually no visual evidence that the site contains a malicious advertisement. For example, one malvertisement attack that happened earlier this year using a popular advertisement service showed banners with photos of cars – nothing appeared out of the ordinary.
Malvertisement attacks can also deceive website administrators. Many websites show content that comes from advertising networks and therefore the website administrators do not control that content. Even if administrators scanned the advertisement that is first posted on their website and determine that it is clean, later versions of the ad can be malicious. Moreover, the malicious ad can be displayed next to legitimate ads making it more elusive. Also, in the lancenet.com.br case, the third party advertising network was loading live content from another third party ad service, making the website administrator even more removed from the content being posted.
Too often many website administrators inherently trust a certain ad network and assume that network fetches content from other trusted ad networks and providers – an assumption that may be false. Identifying that a banner is malicious is complicated because the malicious scripts may be well hidden in the SWF file (the format that delivers vector graphics, text, video, and sound over the Internet and is supported by Adobe® Flash® Player software), and may be loaded from another file. They can also be obfuscated.
Taking it a step further, some malicious banners include a hidden link to an exploit kit such as Magnitude or Flashback enabling the attacker to change the malware they drop during the campaign at any time. The exploit kit can be updated with new exploits, thus keeping the attack effective over time. Moreover, they can program the exploit kit page do nothing bad in the first couple of hours or days so that the banner passes any automated security testing or quality control and add the malicious behavior to the exploit kit page later.
As the World Cup 2014 championship continues, the lancenet.com.br attack should serve as an eye opener for businesses whose employees may be taking breaks throughout the day to get the latest tournament updates. While we always recommend businesses hold security awareness education training to teach their employees about what not to click on, in this particular case, if employees simply visited the site, they could get infected. That is why we recommend the following course of action:
Antimalware technologies are critical. Businesses should have antimalware technologies in place such as gateways that can detect and filter out malware in real-time. That way if an employee does visit a site that contains a malicious ad, the technology will strip out the malware before the page even gets to the end-user.
Keep software up to date. Users should make sure they keep all their software updated with the latest patches. In this case, if the latest patch for Adobe Flash is installed, the exploit would fail. It’s not a simple task, but in order to minimize the chance of a successful exploit in your organization, administrators have to keep any software which consumes web-based content up to date. As revealed in our 2014 Trustwave Global Security Report, 85 percent of exploits detected were of third party plug-ins including Java, Adobe Flash and Acrobat Reader.
A recent Osterman Research survey of security professionals showed that malware has infiltrated 74% of organizations through the Web during the past year. Large sports events open the door to these kinds of attacks. Don’t let your business be the next victim.