It was just reported that malicious ads on websites like Facebook, Disney, The Guardian newspaper and others lead users to ransomware which encrypts their computer’s files until a certain ransom is paid.
The news about the dangerous adverts comes a while after technology companies and U.S. law enforcement banded together in a large operation to shut down a botnet which distributed online banking malware and so-called “ransomware,” a highly profitable scam that has surged over the last year.
“It really is insidious,” stated the former Secret Service agent Levi Gundert in a phone interview last week.
There is a product called Cloud Web Security (CWS) which monitors the customers web surfing and reports if they are browsing to suspected malicious domains. According to Gundert, CWS monitors billions of website requests a day.
A report stated that it was blocking requests to 90 domains, many of those WordPress sites, for more than 17 percent of its CWS customers.
Also, the investigation showed that many of the CWS users were ending up on those domains after viewing advertisements on high-traffic domains such as “apps.facebook.com,” “awkwardfamilyphotos.com,” “theguardian.co.uk” and “go.com,” a Disney property, etc.
Some of the adverts which were shown on those domains, however, had been tampered with. If clicked on them, they redirected users straight to one of the 90 domains.
This method of attacking is known as “malvertising,” and it has been an issues for a long time. The advertising networks have taken steps to try and detect malicious advertisements placed on their network, however, the security checks aren’t foolproof.
From time to time, malicious ads slip in, which are shown on a vast array of websites that have signed up with the network or its affiliates. The websites where the adverts appear are usually unaware they’re being abused.
“It goes to show that malvertising is a real problem,” Gundert said. “People expect when they go to a Tier 1 website that it is a trustworthy place to visit, but because there are so many third-party external links, that’s not really true.”
Gundert stated that the 90 domains the malicious advertisements pushed traffic to, had also been hacked. Regarding the WordPress sites, it appears the attackers used brute-force attacks, which involves guessing login credentials, to access the website’s control panels. After that, an exploit kit called Rig was inserted, which attacked the victim’s computer, Gundert explained.
The Rig exploit kit, which was first spotted last April, checks if users are running an unpatched version of Flash, Java or the Silverlight multimedia program. In case someone’s computer isn’t patched, “you’re instantly exploited,” Gundert said.
The next stage is when a ransomware program called “Cryptowall,” a relative of the infamous Cryptolocker malware, gets installed on the system. This program encrypts the user’s files, demanding a ransom.
In another sign of the operation’s sophistication, the website where users can pay the ransom is a hidden website that uses The Onion Router, or the TOR network.
In order to navigate to a TOR hidden website, a user must have TOR installed, which Cryptowall helpfully provides instructions for how to install. Everyone who delays paying the ransom find it increases as time passes.
According to Gundert, most probably, several groups or people with different skills, such as malvertising, traffic redirection, exploit writing and ransomware campaigns, are working together.
“You could have a threat actor putting together all of these pieces on their own, but there are so many different specialties involved in this attack chain,” Gundert concluded.