Widespread malvertising campaign targets high-profile sites, delivers ransomware

A newer version of the Cryptowall ransomware has been delivered to unsuspecting Internet users via malicious ads shown on a considerable number of high-profile websites, including properties in the Yahoo, Match.com, and AOL domains.

According to Proofpoint’s calculations, the malvertising campaign started in late September, picked up the pace this month, and lasted until October 18 and likely even a bit longer. They believe that the criminals have managed to “earn” at least $750,000 during that period.

“Malvertising is the fastest-growing segment of attack techniques – but it is very difficult to get views of the malicious ads because they display only to intended victims and are then gone,” the researchers explained.

“Malvertising attacks are especially virulent for two reasons. First, leveraging the online ad network gives attackers the ability to target specific groups; attackers can ensure infection across a designated demographic or targeted set of audiences. Second, because there are so many players in the supply chain through which a given advertisement passes, attackers can more easily avoid detection.”

In this campaign, the attackers used already existing ads for legitimate products, and submitted it to at least three major ad network members (Rubicon Project, Right Media/Yahoo Advertising, and OpenX).

Visitors to the sites that ended up serving the malicious ads were automatically infected with the ransomware if they used software with vulnerabilities exploitable by the FlashPack Exploit Kit.

The ransomware then encrypted the victims’ hard drive and asks for money in return for the decryption key. Unfortunately, even if the ransom is paid, there is no guarantee that the victim will actually receive the key.

The ransom is supposed to be paid in Bitcoin, and the addresses the criminals used for this purpose are C&C server-generated and many. “Incoming coins are quickly transferred to multiple other addresses in what’s apparently a coin laundering process,” the researchers noted.

This particular campaign now seems to be over – all the affected parties (optimizers and ad networks) have been notified, and the malicious ads pulled. Still, that doesn’t mean that the attackers have not switched to spreading CryptoWall 2.0 via other means.

“The impact of malvertising is not limited to end-users; the publishers and advertisers are also victimized to the extent that they are exposed to brand damage: end-users are unaware of the distinctions between sites, networks, and stolen ad creative content,” the researchers pointed out.

“It is clear that site owners and ad distributors need to invest in more advanced tools to detect malicious advertisements that are embedded in the ad stream. In particular, site owners cannot and should not assume that the ad networks are taking care of this for them, and should proactively seek tools for online brand protection,” they concluded.