Search the Community
Showing results for tags 'advertising'.
Attackers are using Flash exploits and foisting ransomware through real time advertising bidding networks, FireEye researchers say. The attacks link to malicious or compromised advertising sites which participate in real time bidding systems in which ad inventory is sold to and by publishers. More than 1700 malicious advertising requests have been detected that led to malicious .swf Flash files being downloaded over hundreds of unnamed sites. "We believe this activity is part of an active malvertising operation," FireEye Labs researchers say in an advisory. "These ads can come from ad servers that are part of a legitimate ad network or rogue ad servers controlled by attackers." The attacks target a vulnerability (CVE-2014-0569) patched October last year affecting Adobe Flash and Air which was integrated quickly into exploit kits including the popular Angler. Damage to victims varied; FireEye bods say attackers foisted both the dangerous Cryptowall ransomware and what appear to be benign Windows files. Two .swf files are loaded and load the exploit then throw up an unrelated advertisement which varied across attacks. Researchers probing deeper discovered the studied advertising sites used a tool dubbed 'F**k AdBlock' designed to detect 'nasty' ad blockers across popular web browsers. URLs involved in the advertising network revealed the bid pricing, impressions, and information on operating systems and web browsers. Malvertising is a popular method for infecting web users. Last month some 1800 subdomains linked to GoDaddy accounts were found spreading the Angler exploit kit using a then Flash zero day exploit in a surreptitious malvertising campaign. Source
After being disrupted by law enforcement in December 2013, the peer-to-peer (P2P) ZeroAccess botnet – also known as Sirefef – has resumed advertising click fraud activities, according to the Dell SecureWorks Counter Threat Unit (CTU). The team first noticed the botnet reactivating from March 21, 2014, to July 2, 2014, and then on Jan. 15 it started to distribute click-fraud templates to compromised systems, a Wednesday post indicates, noting that the botnet is made up of hosts from previous compromises and there have been no observed attempts to expand the botnet. Currently, the ZeroAccess botnet's infection base is around 55,000 systems, which is considerably lower than the reported two million systems that were infected when the botnet was taken down at the end of 2013, Jeff Williams, director of security strategy with the Dell SecureWorks CTU, told SCMagazine.com on Friday. “The current campaign may be small by design [perhaps in order to] evade detection, and it may be largely outside of the United States and Europe as a method to avoid those law enforcement agencies which were involved in the takedown operation (FBI in the U.S. and EC3 in Europe),” Williams said. According to a geographic distribution of ZeroAccess botnet peers included in the post, Japan has 15,322 hosts, or 27.7 percent of total infections. India is the runner-up with 7,446 hosts, or 13.5 percent of total infections, and the U.S. came in fifth with 2,540 hosts, or 4.6 percent of total infections. “There are a variety of ways that a criminal will infect systems with malware,” Williams said. “A common method right now is through the use of an exploit kit, embedded in a hidden frame on a webpage. In some cases, these malicious frames are part of a malicious advertising campaign and delivered through the same advertising networks which they are intending to defraud.” Threat actors typically benefit from click fraud through the cost per click model of online advertising, Williams said. He explained that “the miscreant will leverage software – often in the form of a bot – to click through advertisements repeatedly in order to either generate revenue in a [cost per click] model or to exhaust the advertising budget of a rival.” Click fraud often involves the use of a botnet so that clicks on advertisements are not seen coming from the same computer, Williams said. He explained that clicking from the same computer would trigger anti-fraud measures and that the clicks would be removed from the payout calculations, whereas using a botnet helps fraudsters remain undetected. “The losers in a click fraud scenario from a monetary perspective are the advertisers,” Williams said. “They have invested money to have their advertisements viewed by people who may be interested in their product or service. They pay a finite amount which, when the [cost per click or cost per mille] limit is reached for that campaign, their ads are no longer displayed.” Source