Last week, some big name media outlets including the L.A. Times and Salon.com were hit by a malvertising attack. As a result, thousands of readers were sent to malicious sites such as the Black Hole exploit kit site.
Malvertising attacks aren’t new. Essentially, the bad guys use the targeted advertising that appears on websites to embed malware, and it is an infection that is nearly impossible to prevent. As Matt Huang explained in a USA Today article:
… Protecting ad network infrastructure is a hard problem to solve. The ad ecosystem is so big with such sophistication that it's hard to pin point which party in the ad serving chain is ultimately responsible for the malicious ad.
In most cases, the website that displays the ad and the end user who sees the ad have no control over what ads will be displayed. This becomes a perfect playground for attackers. The technology is readily available, the cost is cheap, and the impact is not only great, but can be precisely targeted.
Researchers at Blue Coat Systems have noticed that the malvertising ads have shown up a lot more frequently. After researching, they discovered a site named adhidclick.com, which was part of the domain family, was sending traffic to Black Hole sites. The domain was registered in December 2012, but it didn’t become active until the end of August 2013. With the some of the malware sites lying dormant after registration for many months before the attack was launched, this attack demonstrates a high degree of planning and patience.
According to Blue Coat Malware Lab Architect Chris Larsen, the “funnel layer” of the malvertising network swaps through a set of relay sites to send traffic to the exploit sites. The end result is that the sites that are hosting the malicious ads don’t realize that they are possibly infecting their customers. Larsen also stated in a blog post:
The long hibernation time for these sites is very interesting. A second point of interest is how segmented this attack is—the bad guys managed to get each of these fake ad domains into a position of trust with a different target market, so that even if one were to be discovered, the overall attack could continue. (And at the lower levels, the sites are changing very rapidly, so they don't care if those get identified.)
Security companies continue to work on a solution to prevent malvertising, but this is one area that is going to be tough to solve because of the way these ads are set up. Of course, the Catch 22 is that no one wants to—or can afford to—eliminate their ads from these sites. Right now, there appear to be no real answers on how to deal with malvertising campaigns.
If customers came to me with a complaint that they were led to a malicious site because of an ad on my website, I would listen to them and start a conversation with the advertisers. Don’t dismiss your customers’ concerns or complaints. Once, when I reported a malware warning I got, the site owner told me that I was wrong, that the site was completely safe. You know what? I’ve never gone back to that site, even though I knew the malware problem wasn’t their fault, if only because the organization didn’t take it seriously. Today, it’s all about communication and working together, especially as the bad guys get more sophisticated.