Faked Flash-based ads on HuffPo, other sites downloaded extortionware

Google’s DoubleClick advertising network is the lifeblood of many websites driven by ad revenue—and it’s also a potential path of attack for criminals trying to spread extortionware and other malware. Some Huffington Post readers fell victim to malicious advertisements spread through Google’s DoubleClick network early this week, but another simultaneous attack may have reached an even bigger audience.

Two ad network merchants became an unwitting accomplice to attackers with similar Flash-based ads, displaying them on multiple legitimate sites. The Huffington Post advertisement—a fraudulent Hugo Boss ad which also appeared on other major legitimate sites (including the real estate site Zillow.com)—was spread through DoubleClick via the ad network AdButler, according to Malwarebytes, which tracked the attack. That attack attempted to download Cryptowall ransomware to victims’ PCs.

The second attack came to DoubleClick through Merchanta, an ad network that serves up 28 billion advertisement impressions a month in the US alone. There is no estimate of how many people were exposed to the attack, but it likely cast a worldwide net and could have infected thousands of PCs with malware. Malwarebytes did not collect the malware payload of the Merchanta attack, but Malwarebytes Lab’s Jérôme Segura wrote in a post on the attack that the Flash exploit used in both attacks was identical, using the same Flash exploit kit. “It is worth noting that this malicious SWF (Flash file) had zero detection on VirusTotal when it was first submitted,” Segura said.

Both attacks were spread to DoubleClick through real-time bidding through multiple ad networks. The Merchanta ad was placed through an account for Bidable.com, a real-time bidding company, belonging to a fraudulent customer posing as a legitimate advertiser. (The ad in question appeared to be for Hermés Paris.)

In this sort of malvertising fraud, the attackers usually send a non-malicious version of the advertisement to the network for approval and then send a replacement “minor modification” of the ad at the last minute, hoping to get past quality checks by the network provider. When successful, the malicious ad gets pushed out with full approval to other ad networks through bidding for available ad frames.

As a result, hundreds of legitimate websites end up displaying ads that could infect visitors with Cryptowall or other malware without detection. While other malvertising attacks have used malicious hidden IFRAME elements to invisibly redirect users to an exploit site, these two attacks used the recent Flash vulnerability alone to perform the download.


Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s