Compromised ad servers have been pushing out ransomware directly to unwitting users of many popular domains. As reported by Ars Technica (via MalwareBytes and others), whose story is heavily referenced here, the domain list contains a number of high traffic sites.
"It hit some of the biggest publishers in the business, including msn (.com), nytimes (.com), bbc (.com), aol (.com), my.xfinity (.com), nfl (.com), realtor (.com), theweathernetwork (.com), thehill (.com), and newsweek (.com). Affected networks included those owned by Google, AppNexis, AOL, and Rubicon."
(Image credit: Ars Technica)
Unfortunately, the story doesn't get better from here. The Ars report continues:
"The ads are also spreading on sites including answers (.com), zerohedge (.com), and infolinks (.com), according to SpiderLabs. Legitimate mainstream sites receive the malware from domain names that are associated with compromised ad networks. The most widely seen domain name in the current campaign is brentsmedia (.com)."
The ads have been traced back to multiple domains, including: trackmytraffic (.biz), talk915 (.pw), evangmedia (.com), and shangjiamedia (.com). The report continues:
"The SpiderLabs researchers speculate the people pushing the bad ads are on the lookout for expired domains containing the word "media" to capitalize on the reputation they may enjoy as a legitimate address."
The full article from Ars technica can be found here as well as the source link, and the cited Malware Bytes post can be found here.
So how did they do it? The banner ads themselves contained the malware, which could infect the viewers system undetected.
"When researchers deciphered the code, they discovered it enumerated a long list of security products and tools it avoided in an attempt to remain undetected.
'If the code doesn't find any of these programs, it continues with the flow and appends an iframe to the body of the html that leads to Angler EK [exploit kit] landing page,' SpiderLabs researchers Daniel Chechik, Simon Kenin, and Rami Kogan wrote. 'Upon successful exploitation, Angler infects the poor victim with both the Bedep trojan and the TeslaCrypt ransomware…' "
Of course it goes without saying that advertising online is a sticky issue. It can be intrusive, with ads blocking article text, or autoplay videos creating a cacophony of unwanted noise, somewhere amidst the many open tabs. Of course it can be done with class, respectful of the reader's experience (and I would use our own site as an example).
A large number of web users employ ad-blocking extensions to their browser, though it is often the case that ad revenue pays for the costs associated with keeping such sites online. This outbreak is a further blow to the current financial stability of many sites when news such as today's ransomware debacle hits the tech (and soon the mainstream) press.
Free advice.
make
Free advice.
make backups.
Keep them offline.
Make one user with write access to your NAS, only use a
read-only account to access your NAS. Map your drives using a read only account so that this ransomeware cannot write to your volumes.
Login to your pc only with a non-administrator account for the same reason.
Make sure you never run Flash, ever, or in fact any Adobe products.
the ^^above^^ is true. my
the ^^above^^ is true. my laptop got nicked (by ransomware)and all my drives were affected INCLUDING installed google drive which really shocked me! thank god my NAS was off at the time. I didn’t pay the f*@”ers= format solved the issue.
M$ silverlight TOO, it is
M$ silverlight TOO, it is another Swiss Cheese attack vector! AND M$ keeps pushing the silverlight update back onto your system via windows update, I had to hide it about 5 times in the period of 10 minuets just to get it to stay hidden! Websites that use Adobe should be really thinking about going full HTML5, same goes for silverlight, and other software.
It’s getting to the point where there should be a requirement for any ad serving web business/service to have to be shut down until they can clear their infection, much like a restaurant has to shut down when they have a biological infection problem. Shut down and not allowed to reopen until a third party service can certify them as clean and safe to use. If some ad pusher’s servers are pushing infected ads, shut them down until they can prove they are clean, shut them down(their servers) and block their domains from internet access with severe penalties if they should try to get back online with any domain until their servers are certified clean.
Any website getting infected ads from their ad services should have to block that service until that service is third party certified clean! And any website that uses any ad pushing service that does not practice due diligence in stemming the infected ad flow once it becomes apparent should join in the penalties!
That’s why I think users
That’s why I think users should use add blockers and whitelist sites that care about their security and experience, like pcper.com
Thanks for the heads-up
Ad blockers dont actually
Ad blockers dont actually protect against exploits. Exploit mitigations do
o.
I always hate reading comment sections on these kind of stories because its nothing but people complaining about how horrible ads are and how they need to use ad blockers, which dont block exploits.
Using ad blockers and whitelisting certain sites is TERRIBLE security practice.
Use multi-layered exploit mitigations on your ENTIRE BROWSER and then you can let all the ads show and not worry. MBAE has built in forensics so it also functions to get compromised ad services shut down faster. Ad block and no script doesnt do that either.
I don’t know what you’re
I don’t know what you’re talking about or if it has any basis in fact whatsoever, but what I do know for 100% certain is that my browsing and my computer became much more reliable the day I installed ad block (it was called flash block back then.)
It’s not a subtle difference I’m talking about. My browser used to crash all the time. I often felt I needed to reboot. Then I installed flash block and boom, instant stable computer.
Internet ads never bothered me and I never had a moment where I set out to block “ads” specifically. But I’d never use a computer without this protection, because it’s an unstable unsafe mess.
If your computer is unstable
If your computer is unstable because of ads, then it obviously has other issues, probably major.
If you think ad block is “protection” and have no idea what im talking about, then you need to get educated on security, specifically exploit kits, how they work and how to ACTUALLY protect against them.
If you have no idea about what im talking about, then id also suspect that your computer’s instability is caused by malware, probably a rootkit dropped by an exploit. Either that or yiu got some bad, ineffective or fake(rogue) security software, or failing hardware.
But yeah, ads shouldnt make your browser or computer unstable. And ad block and no script type stuff are NOT exploit mitigations.
Look I get you like to shout
Look I get you like to shout often and loud. It doesn’t actually make you any more convincing. If you’re going to deny that flash has been a source of stability and security issues for years, then there’s no way to have a productive conversation with you.
p.s. all my computers “major other issues”, “malware”, “failing hardware” etc. all magically fixed themselves the minute I turned on flashblock. Was probably just a coincidence I guess.
Where did i suggest that
Where did i suggest that Flash(Java, Silverlight etc.) arent sources of major security vulnerabilities?
They clearly are. I never indicated that they werent.
What i AM saying, is that ad blockers, no script and Ghostery anti tracking stuff are NOT exploit mitigations and they dont replace them.
If your computer cant handle a Flash ad without “instability” its clearly got major hardware or software issues, since normal Flash ads that arent infected with malware arent “demanding” to a modern computer.
Youve given yourself a false sense of security, like a lot of people commenting obviously have, by misusing AD BLOCKING software as SECURITY SOFTWARE. Ad blockers are not exploit mitigations, and can not function as exploit mitigations because of how they work.
I’m not against using other
I’m not against using other defenses too, and I do.
But you know what’s even better than having a “mitigation” to an exploit? It’s not having the exploit delivered to you in the first place. And since those exploits very commonly arrive via ad serving mechanisms, like in this present case, ad blockers do in fact drastically reduce exposure to exploits.
I agree that correctly crafted ads that do not trigger underlying flash bugs are not likely to be issues by themselves. But the undeniable history is that bugged content and/or bugged rendering layer (flash) has been an ongoing source of problems for years. The web is a much more safe, stable and pleasant environment with flash/ad blocking and its the first thing I’d recommend anyone put on their new computer.
The link to the malwarebyte
The link to the malwarebyte blog seems mangled, I get an extra https// in the beginning: “http://https//blog” resulting in an error.
Thanks – looks like I did
Thanks – looks like I did mangle it. Fixed now!
Sad to say but I use an
Sad to say but I use an adblocker as well as ghostery, and noscript. And stories like this make me even more thankful that I do. I do try to support outlets like pcper and other sites I use but with ads getting more obtrusive and malwares running rampant like this from advertising firms it’s just not worth the risk to not use browser addons to stop the ads.
This is kind of
This is kind of disappointing. There are people out there trying to do the right things with ads (Like you guys) Then shit like this happens, Which makes more people use ad blockers.
The worst part about you guys reporting this is it will probably affect your own ad revenue. I’m glad you guys posted about it anyway.
Thank you for actually looking out for your community.
It’s so easy to whitelist
It's so easy to whitelist sites (like ours – which wasn't affected by this, and doesn't use intrusive advertising) that we can always hope our readers will choose to support us. It's up to them, of course. I personally use an ad-blocking extension, and I make use of the whitelist.
Assume that your sites ads
Assume that your sites ads can and will be compromised and do a story educating people how to use EXPLOIT MITIGATIONS.
All this ad blocking and no script isnt effective against compromised exploit filled websites, where as exploit mitigations that GENERICALLY protect the entire browser and all of its plugins ARE.
The story links to Malwarebytes and the funny thing is, if people were using their FREE anti exploit software, they would have seen a warning that MBAE blocked an exploit attempt and they wouldnt have been infected.
Everyone seems so enthusiastic about ad blocking and BS like that, which exploit kits CAN get around, and no one talks about actual exploit mitigations. Its so frustrating to read stories like this, and then the comments section filled with people saying ridiculous BS about whitelisting ads and blocking them.
Just use exploit mitigations and then you dont need to care about ads at all!
Read this and immediately
Read this and immediately reinstalled Ghostery. Sorry.
Install actual exploit
Install actual exploit mitigations instead.
I use no script & ghostery
I use no script & ghostery
That doesnt block exploits.
That doesnt block exploits. EXPLOIT MITIGATIONS DO.
So much passion for the
So much passion for the cause. I like it!
Malware is a multi billion
Malware is a multi billion dollar industry, expected to rise to over a trillion dollars in damages by 2019.
People need to get educated if they use the internet.
People are not accustomed to having an intruder enter their home and spy on them, steal their keys and hold their house for ransom, steal from them and go around impersonating them.
That stuff happens to people online because they dont realize that this is a different world than the physical world.
People are always trying to get into other peoples computers, and they can be thousands of miles away physically, but gain access to all your personal info and destroy you anyway.
Digital security is becoming just as important as physical security but people arent keeping up with the massive attack surface they present by buying all this technology and IoT BS that they have no clue how it works, but they use it anyway.
Would you leave your keys in your unlocked car? Leave your wallet on a table in a crowded bar and walk off? Leave your doors unlocked with no alarm in a high crime area?
Those things are analogous to most peoples security practice.
Most of the infected sites
Most of the infected sites fail to function when they are unable to run flash, or scripting. By limiting what gets loaded, you reduce the attack surface. You can’t get hit with a Java exploit if you don’t have Java. You can’t get hit with a Java script exploit if you have Java script effectively disabled. You can’t get windows malware if you are running Linux (and no emulation of a windows environment).
If there is a potentially dangerous content type that you do not want exploited, then the safest solution is to just not load any of it. It is far safer than tools that seek to allow flash, and scripting and ads, but use special definitions and heuristics to try and spot malware style behavior and then block it, as they are not perfect.
Blocking is a full measure. For a physical example, can someone vandalize your car if you do not have a car to begin with?
Can someone bash your house windows in if you get rid of the windows and just have brick walls in their place?
Think about this, imagine if someone kept stealing your power via the outdoor electrical outlet on your home. You could hire a guard to only allow people you want to use the outlet (using even more of your resources), or you can go to the circuit breaker and simply turn that outlet off, and only turn it on when you want to use it. Adblocking, and script blocking simply reduces or removes the attack surface.
Removing plugins does
Removing plugins does minimize attack surface, but sites themselves get hacked, not just ads. That means the browser, or any internet facing application, is a potential attack surface.
Yes, the plugins are most iften targeted, but you should still harden the application.
Ideally, hardware root of trust like what Bromium and Skyport(both thousands of dollars and designed for enterprise users) do, shod be implemented across endpoints and infrastructure.
For normal users, they can disable plugins and reduce functionality or block ads which doesnt always work since it requires the page to load, or they can just do the most common sense thing and harden their browser.
Software like what you
Software like what you recommended e,g,. what Bromium offers, they work by isolating tasks which are specified to be vulnerable, nd housed within their own VM.
While this can prevent malware from compromising the entire system, it does not protect you from a compromised session. Malicious code can still run within the VM, they can even make simulated system file changes (no permanent changes are made, and data specified to be sensitive can be locked completely)
The problem as touted by the company heavily, is protection from unknown attacks, AKA zero-day.
The problem is configuring this level of exploit mitigation requires a lot of work, as well as a deep understanding of what resources each process needs.
The thing is that not all malware needs complete access to the system files, and root level privileges, in many cases, the privileges of the web browser are more than enough. For example, a java script exploit which attempts to brute force the login to your router, and then change the DNS server settings to a malicious DNS server, as well as possibly enabling remote management and any other actions the attacker chooses.
A user who simply never loads that type of code to begin with is much safer than a user who loaded the malicious but unknown code.
For the average user, it is simpler for them to decide, “some ads are malicious, I don’t care about ads, so it is safer for me to just not load any of them, thus even if a malicious ad uses a zero day exploit, I am still protected, best of all, it is free”.
If a websites business model relies on encouraging users to spend additional money on additional tools to to protect themselves from the malicious ads on your site, then prepare to be disappointed.
It is like running a store where where you tell customers to wear complete body armor because a few of the staff members are uncontrollable serial killers; it simply won’t be a successful business.
Does this infect
Does this infect automatically or only as the result of user action clicking on something generated by the malicious ad?
Most of the exploit kits will
Most of the exploit kits will attempt to automatically install malware through the use of a wide range of zero day exploits.
It depends on how much scripting the ad network allows.
For a few family friends that got hit by malicious ads, it has often been automatic.
For networks where they are not automatic, they will often create a fake warning with fake close buttons where clicking anywhere on it, causes you to pull additional scripting from the malware domain which is then used to infect.
For attackers that simply do not want to spend big on exploit kits, they will do the basic warning message, e.g., warning a user that their flash player is out of date.
If you were going to an
If you were going to an airport and a total stranger said that they will pay you $10,000 to take a suitcase that they packed, with you onto the plane, would you do it without looking at the contents of it?, would you accept the offer?
Why/ why not?
If you would not, then why would you give someone else the ability to display content on your website that you did not examine and approve first?
Even if you trust a website, the question you need to ask is do you trust their ad servers.
A cooking recipe website using double click ad services is just as unsafe as a porn website using double click ad services.
Most websites who force users to view ads often fully understand that they are spreading infections, and they are happy to do it. If they truly felt their ads were safe, they would be willing to put more on the line. e.g., offer a guarantee.
For example: “if your system gets infected due to an ad on our site, we will cover any and all expenses needed to fix any and all damages, as well as provide all compensation needed to cover any primary, secondary, and tertiary financial losses as a result of the infection”.
The sad truth is that for the online ad industry, there is no accountability and no industry consequences when they let malware through. For every major site that it has happened to, at best you get some half-ass apology and no change at all done to the way they handle ads. It is the equivalent of saying “sucks for you, it’s your fault for being unlucky”.
Ad companies are the only ones that have this little accountability. Look at what happens when a certificate authority does a single action that is considered to be a breach of trust. Virtually every major web browser, immediately black lists their certificates.
Imagine if ad companies faced the same standards (they should as they are so vital to the way we enjoy the internet). Imagine if after a single malware infection, an entire ad network would be blacklisted by every website owner who knew of it, as well as every major web browser. You would see more work put into vetting all ads that are served.
Right now, there is no effort put into making sure ads are safe because in the work place, effort = time and money, and it is an unnecessary expense when there are no repercussions for letting the bad stuff through. In fact, it encourages the spread of malware because they are encouraged to accept all paying customers.
Its FREE for you to browse
Its FREE for you to browse these ad supported websites. Thats why theres no accountability to the people who get infected.
If you were a paying customer who got screwed over by a service provider you pay to give you services, you could hold them accountable.
Since youre getting something for free and it makes you a massive target, and you know ad services are lazy with security, that means its your choice:
browse unsecured and take the massive risk that involves,
browse and use ad blockers, which hurts the sites you use for free,
Or browse with a hardened browser, or a separate physical device like a locked down tablet and dont worry about what ads show.
I do the third option. These attacks are REALLY easy to prevent using readily available FREE exploit mitigations. The article should mention that, but it doesnt.
Free doesn’t remove liability
Free doesn’t remove liability anywhere else in life.
For a better understanding of what this means, think of this scenario.
Imagine it is Halloween, and someone gave you a box of candy to give out. If it turns out that the candy contains anthrax and Ebola, and every kid that came to your house for candy that day has died. who would be in trouble?
Now suppose after that tragedy of many kids dying from poisoned candy, you went into that infected candy stash again and decided to give all of the children at a local hospital, a belated Halloween treat basket (complete with a lifetime supply of anthrax and Ebola). Who would be in trouble then? Would it be the fault of the kids because they accepted the free Halloween candy?
What if after the second time you give the candy away and another group of people die from the anthrax-Ebola, that you decide to give the remaining supply away at a local food bank/ pantry? Who would be responsible then?
What many websites are doing is using ad services that have a history of being unsafe, and instead of making changes, they are instead thinking “hey, this tainted supply just killed a bunch of people, they must be really unlucky, hopefully the next batch of people who eat this stuff won’t be so unlucky while consuming the anthrax coated Ebola.”
Other sites like to take it further; “hey, the last group of people got some pretty bad Ebola-anthrax sickness from this stuff, maybe we should try directly rubbing in the face of another group of people to see if that makes things any better”.
You never see a case of sites going “hey, that ad company gave everyone Ebola with anthrax, we should avoid anything to do with them in the future”.
The sites listed in the article have not changed their ad services or anything since that malware outbreak. over the years with many reports of infected ads with some of the major sites listed, they have never made a single change.
They just keep digging into their Ebola anthrax stash and handing it out to everyone who goes by.
Dont get me wrong, i TOTALLY
Dont get me wrong, i TOTALLY AGREE that there OUGHT to be accountability, but i was just saying why there isnt.
There are no direct repercussions for these sites or advertizers. There should be, but there arent.
The whole advertizing sponsored internet isnt sustainable anyway, but thats an economic issue.
Anyway, security companies like Bromium and Malwarebytes often break these stories because their software has built in forensics and telemetry that alerts them to infected domains.
The security companies then alert the ad company, who cleans up the infected ads.
The vast majority of these criminal threat actors who infect people using ads do it the exact same way. They have a seemingly legit ad that has an exploit redirect built in, and the exploit delivers the malware payload. Ransomware is the payload of choice currently, because it can be anonymously paid with Bitcoin.
So, since the problem is what it is, the people who are getting infected need to be proactive instead of being helpless.
Thats why people need to use ACTUAL exploit mitigation software, so that theyre protected against this kind of shit, and so that they can alert these lazy ad companies when their ads get compromised.
Its not just ads on websites either. There was recently a huge campaign using Skype ads to deliver exploits. Unfortunately, there is no free program that can effectively shield exploits in Skype except maybe custom EMET, but i dont use EMET anymore.
As someone who is disgusted with Microsoft installing Windows 10 as malware would be, and building in spyware to 10, i think they should pay for their complacence. There is no excuse for a company like Microshit or Google distributing malware, and both of them have repeatedly done it.
The question is, what would
The question is, what would exploit mitigation software do that will better handle zero-day exploits?
Will it be better than simply not loading the content at all?
Ad blocking is so popular because not only does it increase safety (attackers find it easier to run an infected ad rather than trying to hack google.com, as a little money guarantees the display of the malicious ad on many high profile websites, thus allowing the attacker to go after more targets.
While there can always be a benefit to adding additional protections, one form of protection does not suddenly remove the need for another.
For example, with modern medicine, and the ability of doctors, you can relatively easily treat infections, and with a preemptive course of broad spectrum antibiotics, you can be reasonably sure that you will not get sick from a little rat fecal matter in your food. Tell me, does the invention of highly effective broad spectrum antibiotics mean that you should now goo out and and find the nearest supply of rat fecal matter to munch on?
Avoidance is one of the best forms of protection. Like with broad spectrum antibiotics allowing you to more safely eat fecal matter (exploit mitigation), there is no guarantee that there wont be something in it that the antibiotics won’t stop, thus you end up getting sick. Beyond that, you can also assume that everyone would rather not consume the fecal matter. Not only does avoidance provide complete protection from its related illnesses, it also makes for a more pleasant experience, as instead of chugging antibiotics before you order your salad with a side of rat droppings, you are instead ordering the salad without the rat droppings. I believe that everyone can assume the salad will taste better without the rat droppings.
Compared to the person chugging antibiotics and eating the rat poop with their salad, the person who simply chose to not have the rat poop in the salad is getting full protection from the rat poop,while simultaneously enjoying a better product (rat poop free salad).
Ad blocking, script blocking, disabling of plugins that you do not need, and having plugins which help to enforce rules to avoid things that are not inherently malicious but are used maliciously more often than not, such as cross site scripting, clearclick, application boundaries restrictions, etc
Many of these have legitimate functions (not malicious), but most users do not need those functions and thus it is safe to block them.
You can’t get hit by a zero day exploit on java if you are not running it. The most common recommendation from many security experts is to remove plugins that you do not use.
It is safer to remove silverlight than to have another application running that will try to mitigate the damage it can cause when it is hit by a zero day exploit (This can be applied to almost any other function).
There is no risk-free way to surf the internet, but by minimizing your attack surface, you are objectively reducing the risk associated surfing the internet.
Ad blocking is one of those special cases where a security measure ends up improving the experience for the end user (sites load faster, browsers use less RAM, lower CPU usage, and the CPU load lasts a shorter time, thus increased battery life on laptops, tablets, and smart phones).
WHY DOESNT EVERYONE USE
WHY DOESNT EVERYONE USE MALWAREBYTES ANTI EXPLOIT? ITS FREE FFS. IT STOPS THIS KIND OF SHIT.
No anti exploit tool is 100%
No anti exploit tool is 100% effective, just as no virus scanner is 100% effective. they have to constantly be updated, and ate in a state of zero day exploit 100% of the time. Remember malicious users have access to the same malware protection tools that everyone else has access to. Because of these facts, anti exploit and anti malware companies are constantly playing a game of catch-up.
The easiest solution it to just not load the content to begin with. You can’t get hit with a malicious ad is you don’t load ads to begin with.
I realize that nothing is
I realize that nothing is 100% effective. Removing all plugins isnt always an option for people, and if people arent using a separate disposable device for browsing the internet, then use the best exploit mitigations you can.
When the bad guys using the latest exploit kits give up on exploiting people running a specific mitigation software, because all it does is get them shut down faster, thats a pretty good endorsement.
https://blog.malwarebytes.org/exploits-2/2015/05/exploit-kit-authors-give-up-on-malwarebytes-users/
Im not saying that you shouldnt use two factor, backups, best security practice in general or think that anything is 100% secure. But you might as well use something thats an actual exploit mitigation to harden your browser or other internet facing applications.
I wonder if stuff like
I wonder if stuff like pi-hole will help protect against this kinda stuff. https://pi-hole.net I already use it myself to filter ads.