Malvertising, the malicious activity that involves spreading malware via online advertising, has been trending up over the past few years, and 2016 might become a record-breaking year for it, Cyphort Labs researchers suggest.
Based on the pace at which unique domains used in malvertising have been found since the beginning of the year, Cyphort Labs estimates that 2016 will top 2100 unique domains, more than double compared to 2014. The growing trend was observed last year as well, when the number of unique domains used in malvertising and tracked by the security company reached 1654.
Because millions of users trust high-trafficked, clean sites, malvertisers have started to target them more often, because they promise wider reach and higher success rate for infection. Last year, malvertising campaigns were observed hitting the Yahoo! advertising network, as well as various well-trafficked sites from around the world, including eBay, Answers.com, and TalkTalk.
Earlier this year, security companies noticed that top global sites were hit in a malvertising campaign leveraging the Angler exploit kit (EK), including msn.com, nytimes.com, bbc.com, aol.com, nfl.com, and others. Now, Cyphort researchers reveal that perezhilton.com, which has around half a million daily users, was the most recent target of a malvertising attack.
The Cyphort researchers first noticed that the site was redirecting users to the Angler EK on April 30, 2016, and that the CryptXXX ransomware was being installed on the victim’s machines following the attack. The rogue advertiser in this campaign was som.barkisdesign.com, also used in another operation targeting visitors of KMOV and WBTV, two CBS affiliated TV stations.
In that attack, detailed by Malwarebytes last week, attackers were abusing the Taggify self-serve ad platform, while also hijacking GoDaddy accounts to create various subdomains pointing to malicious servers. While the main malvertising domain was parked, the subdomain was hosting an ad banner that would redirect users to Angler.
The som.barkisdesign.com redirector was used by other popular websites in early May as well, Cyphort says. Furthermore, perezhilton.com was targeted again on May 6. The second time, however, attackers used the ox-d.blogads.servedbyopenx.com and adserver.adtechus.com redirectors, and were abusing Amazon Cloudfront CDN to distribute a different Exploit Kit.
“Malvertising continues to be one of the preferred vectors for attackers to compromise users’ machines with malware. Many users fought back by disabling all advertising to secure themselves. Nearly 200 million now use Adblock, according to Statista. In 2015, this form of ad blocking cost publishers nearly $22 Billion dollars,” researchers say.
In September last year, even Forbes was hit by a malvertising campaign launched through a third-party advertising service. According to FireEye researchers, Forbes.com might have redirected its visitors to Angler and Neutrino EKs between September 8 and September 15.