A massive malvertising campaign in Netherlands is currently infecting some of the most popular Dutch websites. By now, the campaign has hit 288 websites in total, and there could be more very soon.
When hackers create ads which are presented as legitimate, but they actually spread malware by hiding a small piece of code deep in the script, this is called Malvertising. Once a user clicks on such ad, his PC gets instantly connected to criminal servers and the malware is downloaded at once.
According to the researchers at the Fox-IT Security Operations Center, the above-mentioned malvertising campaign is occurring through an advertisement platform which loads external scripts before redirecting traffic to the Angler Exploit Kit. From there, TeslaCrypt, Cryptowall and other infections can be disseminated.
The Web analysis firm SimilarWeb estimates that Nu.nl alone had more than 50 million visitors in March. Among the other affected websites are eBay-style service Marktplaats.nl and the popular news and culture websites, Fox-IT added.
“We’ve been in contact with the affected advertisement provider who responded quickly to the incident and has filtered the listed IOCs in their advertisement platform,” the security researchers explained. “They will be tracking down the affected content provider as this issue has not been fully resolved, it has simply been filtered for now.”
Due to the fact that Malvertising is relatively easy to execute, it is an increasingly popular attack vector. According to a recent research from RiskIQ, malvertising jumped up over 300 percent year on year between 2014 and 2015, following a string of exploitations of major publishing websites like Huffington Post, Forbes.com and The Daily Mail. Currently, the most common method used in malvertisements has been the bogus Flash updates.
In March, several high-profile media websites, including the BBC, MSN, AOL and the New York Times, were affected by a rash of malicious ads. Some of the other infected websites in what is almost certainly a coordinated attack, include My.Xfinity, NFL.com, Realtor, Comcast outpost, TheWeatherNetwork, Newsweek and thehill.
“Clearly cyber-criminals are targeting high-traffic sites to try to encourage a larger number of clicks, and consumers are probably more likely to trust ads which are displayed on well-known, trusted websites,” stated Malcolm Murphy, systems engineering manager at Infoblox. “Meanwhile, the malware itself continues to grow in sophistication, often exploiting an organization’s domain name system, or DNS, as a pathway to connect to a malicious destination or botnet.”
