HackDig : Dig high-quality web security articles for hacker

Malvertising on Pace for a Record-Breaking Year

2016-05-09 19:05

Cyphort Labs crawler monitors top sites in the world 24×7 to find cases of malicious code served via drive-by exploits. Most of the sites we see serving exploits are not compromised themselves, but redirect to advertisers poisoned by malware. This technique is called malvertising and we issued a special report on the phenomenal growth of malvertising in August of 2015

 Here is the latest update on the numbers of unique domains we have found per year:

 Year  Number of unique domains
 2014  910
 2015  1654
 2016  2102*

  *estimate based on the number seen so far.

As you can see malvertising growth continues, and is on pace for the largest year ever.

We discover new interesting malvertising cases on a daily basis.

For instance, on April 30, 2016, Cyphort crawler found that popular US website PerezHilton.com was redirecting users to an Angler Exploit Kit. According to SimilarWeb, PerezHilton.com has half a million visitors every day!



Here is the infection chain in this case:

  start   perezhilton.com
  redirector  som.barkisdesign.com
 Angler EK  aluevalvontamme.kinghornagency.com/[…]3.html?utm_source=perezhilton.com


In the screenshot below you can see the IFRAME leading to Angler’s landing page. After browser exploitation, Angler typically drops Bedep malware which will further download and infect the victim’s machine with CryptXXX ransomware.


And here is the screenshot of the JavaScript Angler code.



It looks like som.barkisdesign.com  was also the culprit in the attacks on CBS-affiliated Television Stations that our friends at MalwareBytes blogged about recently

We have seen other popular websites in early May using the same som.barkisdesign.com redirector:

  • www.aporrea.org on May 2
  • www.nowtheendbegins.com on May 2
  • www.lolking.net on May 3

On May 6 we have seen PerezHilton infected again! This time the chain is:

  start   perezhilton.com
  redirector  ox-d.blogads.servedbyopenx.com
 redirector  adserver.adtechus.com
Exploit Kit
over SSL


 Note that this infection is different:

  • different Exploit kit,
  • using redirector from AOL (adtechus.com) 
  • using Amazon Cloudfront CDN to distribute the malware

Malvertising continues to be one of the preferred vectors for attackers to compromise users’ machines with malware. Many users fought back by disabling all advertising to secure themselves. Nearly 200 Million now use Adblock, according to Statista.  In 2015, this form of ad blocking cost publishers nearly $22 Billion dollars. 

 Here is the graphic on the growth of Adblock users.




Malvertising is effective because users tend to trust mainstream, high-trafficked “clean” websites. The attackers abuse this trust to infect them via third-party ad content. 

Advertising networks should use continuous monitoring – automated systems for repeated checking for malware ads, need to scan early and scan often, picking up changes in the advertising chains, and leverage the latest threat intelligence to power these monitoring systems.

We predict that malvertising will continue to rise and we will continue to track malvertising, and will share further updates on this blog.


The post Malvertising on Pace for a Record-Breaking Year appeared first on Cyphort.

Source: /raey-gnikaerb-drocer-a-rof-ecap-no-gnisitrevlam/moc.trohpyc.www

Read:2460 | Comments:0 | Tags:Uncategorized

“Malvertising on Pace for a Record-Breaking Year”0 Comments

Submit A Comment



Blog :

Verification Code:


Share high-quality web security related articles with you:)


Tag Cloud