In the last couple of days, visitors of a number of highly popular websites have been targeted with malicious adverts that attempted to install malware (mostly ransomware, but also various Trojans) on their systems.
The websites in question were those of the NY Times, the BBC, Newsweek, and The Hill, as well as Microsoft’s MSN website, Aol.com, the Weather Network, the HNL, and Realtor.com. The number of monthly visitors to each of these ranges from tens of millions to over one billion (the MSN portal).
The websites themselves weren’t compromised. The problem was that the the ad networks these sites use – Google, AppNexus, AOL, Rubicon – were tricked into serving the malicious ads, which would lead users to sites hosting an exploit kit.
“The first couple of days before this campaign went big, we observed a few hits on smaller publishers that were pushing the RIG exploit kit,” noted Malwarebytes’ Jerome Segura. “On Sunday, when the attack really expanded, the Angler exploit kit was then used.”
Users vulnerable to the exploits leveraged by the exploit kits were initially saddled with the Bedep backdoor malware that would then download the Avrecon Trojan.
According to Trustwave researchers, the same campaign also hit visitors of answers.com, Infolinks.com and several other popular sites during the weekend, and the malicious ads were delivered through at least two affiliate networks, one of which reacted almost immediately after being notified of the problem. The other has yet to get back to the researchers.
Trustwave noted that the attack resulted in the delivery of both the Bedep backdoor and TeslaCrypt ransomware – if the targeted machines were found not using one of a long list of security products and tools, and sported vulnerabilities that the exploit kit could take advantage of.