An advertisement on the media content home page of Australia's largest telecommunications company, Telstra, was infected with 'malvertising' linked to a malicious exploit kit.
The malvertisement – 'malicious advertising' – appearing to show a Lamborghini Gallardo for sale, but was actually contained a link to redirect users (via Google's own URL shortener) to a separate website where a Nuclear exploit kit payload was lying in wait. The payload in this case was a banking Trojan.
Telstra has since disabled the link to the malvertising attack.
alvertising is a form of distributing injected malware into legitimate online advertising.
The hack itself was reported by Malwarebytes researcher Jerome Segura. He reported that this malvertising was similar to an attack on the PlentyOfFish dating website.
Cases of malvertising typically see whole web advertising chains/networks being infected. The attack here, therefore, was not on the Telstra website as such, but on the network serving the advertisements it was displaying.
The Nuclear exploit kit that this hack pointed to is an off-the-shelf piece of hacking software with tools to exploit vulnerabilities in the runtime environments of browsers and the core backbone software that runs on the web.
While culpability is not directly pointed at Telstra for this attack, users clearly establish a certain level of trust with media providers who operate at a national and/or international level of this type.
With incidents like this becoming more prevalent, the question of host site liability for dynamic content presented in advertisements does come into question.
According to Jas Singh, CTO at health and community management company, Medelinked, “Publishers need to makes sure they implement controls and threat detection policies to defend their environment and mitigate such attacks. Typically, this starts with URL filtering and web reputation filtering as some of the first checks that can be implemented.”
Singh said that if user-requested web content gets past the URL and reputation filtering then real-time malware detection should also be put in place.
Gavin Reid, VP of threat intelligence at Lancope, said that in the underground economy, PCs are monetised in various ways; stealing of accounts, click-through fraud, phishing, DDoS, pirated software sites, fake anti-virus and ransomware and so on.
“Many, if not all, of the top 100 websites have fallen victim to compromised sponsored advertising (or malvertising). If you can get an advert with a malware redirect posted to a major website, there is no need to compromise the site,” he said.
Reid explained that miscreants use a hacked account, or a stolen credit card to pay for the malware-laden ads and the fact that they lead back to the ad provider all provide a great cover.
“The adverts themselves can be targeted to the exact audience you want and security defenders can't blacklist the site or the advert-provider. This is where quick and very specific URL blocking can help, however as with AV signatures this is a race with both time and numbers being in favour of the miscreants,” he added.
Senior malware analyst at Avast Jaromir Horejsi clarified just where users stand in relation to the secure web today.
“HTTPS cannot help avoid malvertising, in fact malvertising can be (and sometimes is) spread by infected online advertising services over HTTPS. To protect themselves from malvertising, people should keep their software, such as browsers and plugins up-to-date, adjust browser settings to detect and flag malvertising. They should also have antivirus software installed to detect and block malicious payloads that can be spread by malvertising.”
Simon Edwards, principal consultant at Damballa, said this use of re-directions (in this case from advertisements) to inject malware is a common attack vector seen by his team.
“It is a natural progression to see these attacks start to use advertisements (as opposed to infected URL links off a web site). What is scary in this case is the impact to reputation that it will have to the website showing the advert in the first place (Telstra). Organisations rely on advertising revenues but they must do better at establishing whose adverts they are showing,” said Edwards.
-1.jpg&w=100&c=1&s=0)
.png&w=100&c=1&s=0)
