Security researchers at Malwarebytes have revealed that a number of major news websites have been hit by a cryptolocker malvertising campaign, which saw adverts hijacked and ransomware being installed on users’ computers.
US users of New York Times, BBC, NFL and AOL websites targeted
Malwarebytes claims that the attack hit some of the biggest publishers in the business, including msn.com, nytimes.com, bbc.com, aol.com, my.xfinity.com, nfl.com, realtor.com, theweathernetwork.com, thehill.com, and newsweek.com, and aimed to target US users, over the weekend that began 19th March. Affected networks included those owned by Google, AppNexis, AOL, and Rubicon. Together, the sites have traffic in excess of billions of visitors.
The malware gained access to the advertisements via multiple vulnerabilities, namely a recently-patched flaw in Microsoft’s discontinued, as of 2013, video playing software, Silverlight. It also hit multiple ad networks for maximum coverage.
1-2 BTC demanded in exchange for the decryption keys
When users were confronted with the infected adverts, they were redirected to servers hosting the hugely popular ‘Angler exploit kit’, which tries to discover any means by which it could infect the user’s computer. If a backdoor is found, a cryptolocker-style software would be installed, encrypting the user’s data and demanding a Bitcoin payment of usually 1-2 BTC in exchange for the decryption keys.
Daniel Chechik, Simon Kenin, and Rami Kogan, SpiderLabs researchers, write:
"If the code doesn't find any of these programs, it continues with the flow and appends an iframe to the body of the html that leads to Angler EK [exploit kit] landing page. Upon successful exploitation, Angler infects the poor victim with both the Bedep trojan and the TeslaCrypt ransomware–double the trouble."
Due to the nature of the attack, the debate surrounding adblockers is sure to be revitalised. Many will argue that the hugely damaging effects that this attack could and may have had on users, justifies the use of the software. However, others will argue that advertisements are crucial for internet companies to survive as there are no other feasible means of turning a profit.
The SpiderLabs researchers speculate the people pushing the bad ads are on the lookout for expired domains containing the word "media" to capitalize on the reputation they may enjoy as a legitimate address.
The Bitcoin and cryptocurrency community very much begs to differ. In a recent article, CoinTelegraph investigated how cryptocurrencies could solve the problem of adblockers.