Ransomware Epidemic Takes Aim at Publishers & Ad Networks
Ransomware surged to epidemic proportions in 2016 and there are signs that malvertising will soon replace e-mail as the preferred delivery mechanism. For publishers and online advertising networks, this is emerging as a significant worry as new discoveries show just how easy – and lucrative – it is to inject poisoned online advertising into high-profile web sites.
According to data from the United States Department of Justice, ransomware attacks are now averaging about 4,000 per day, up more than 400 percent from a year ago. For the first three months of 2016, the U.S. FBI estimates that ransomware attacks cost victims about $210 million in ransom payments and recovery costs.
The numbers, coupled with the ease in which automated malicious ads can be slipped into mainstream websites, set up a perfect storm that should be at the top of the minds of online ad operations staff.
Several high profile attacks over the last few months serve as examples of the ransomware meets malvertising reality. Multiple web publishers – including the New York Times, AOL, MSN and the BBC – were simultaneously pushing poisoned ads that infected readers with ransomware and other types of viruses.
The attack successfully compromised an automated ad network to display malware-laced banner ads on the high-traffic sites. Once the user surfed to a page that served the malicious advertising, the ad automatically redirected to two malvertising servers, the second of which delivered a well-known exploit kit known as Angler.
The Angler kit is fitted with exploits for known vulnerabilities in dozens of software including web browsers, Adobe Reader, Adobe Flash and Microsoft Silverlight.
Within 24 hours, the malvertising campaign affected tens of thousands of computers users in the US alone. The end result was millions of computer users staring at computers screens that demanded bitcoin payments for the recovery of important documents, photos or music and video files that were encrypted during the infection.
A separate attack a month later found several high profile web sites fetching a JSON file as part of the process for pulling advertising content from ad networks. That JSON file kick started a series of redirections that infected users with the TeslaCrypt ransomware variant, according to researchers at Trustwave’s SpiderLabs.
These are just two examples of the next wave in the ransomware scourge, which has hit millions around the world.
It’s pretty straightforward to hide malicious code within an advertisement’s SWF (Flash) or GIF file or even on the site’s landing page and due caution should be taken to ensure a site’s audience isn’t put at risk to malvertising attacks.