New Attack Demonstrates Diversity and Wide Reaching Nature of Malvertising
Wednesday, August 6, 2014
SUNNYVALE, Calif., August 6, 2014 – Blue Coat Systems, Inc., the market leader in business assurance technology, recently uncovered a malvertising attack that is leveraging major legitimate ad networks such as ads.yahoo.com to drive a CryptoWall Ransomware campaign. In malvertising attacks, cyber criminals gain legitimacy for their ad servers within ad networks and then serve malicious ads to high-profile sites. The ads appear legitimate but deliver malware or other unwanted software to the unsuspecting user.
“What looked like a minor malvertising attack quickly became more significant as the cyber criminals were successfully able to gain the trust of the major ad networks like ads.yahoo.com,” said Chris Larsen, Architect of the WebPulse Threat Research Team for Blue Coat Systems. “The interconnected nature of ad servers and the ease with which would-be-attackers can build trust to deliver malicious ads points to a broken security model that leaves users exposed to the types of ransomware and other malware that can steal personal, financial and credential information.”
Over a period of several weeks, Blue Coat security researchers tracked malicious traffic associated with the CryptoWall ransomware campaign. CryptoWall is a Trojan that encrypts various document file types and demands a financial payment for their safe return. During the research team’s investigation of the origination of the traffic coming to the malicious sites, it identified a series of referring websites in countries such as India, Myanmar, Indonesia and France.
In addition to a variety of sites across countries and languages, the research team also identified adsmail.us as a referring site to the malicious networks. Blue Coat security researchers flagged the site as malvertising when they noted it was sending traffic to another malicious network and wasn’t sending traffic to any legitimate sites whatsoever. Adsmail.us is also fed traffic by at least two other suspicious ad servers, instadserver.com and australianadserver.com. Traffic is also fed by ads.yahoo.com and other legitimate ad networks.
The discovery of major ad servers with broad potential reach referring traffic to adsmail.us transformed this attack from a minor one to one that could cause much more damage. It also points to why malvertising has become the leading threat vector for web-based threats.
Blue Coat empowers enterprises to safely and quickly choose the best applications, services, devices, data sources, and content the world has to offer, so they can create, communicate, collaborate, innovate, execute, compete and win in their markets. For additional information, please visit www.bluecoat.com.
# # #
Blue Coat and the Blue Coat logo are registered trademarks or trademarks of Blue Coat Systems, Inc. or its affiliates in the United States and certain other countries. All other trademarks mentioned in this document are the property of their respective owners.