Malicious advertisements on major websites lead to ransomware

Cisco said the attacks can be traced to advertisements on Disney, Facebook and The Guardian newspaper

Cisco has linked a highly effective attack using a ransomware program called Cryptowall to malicious advertisements seeded on major websites.

Cisco has linked a highly effective attack using a ransomware program called Cryptowall to malicious advertisements seeded on major websites.

Malicious advertisements on domains belonging to Disney, Facebook, The Guardian newspaper and others are leading people to malware that encrypts a computer's files until a ransom is paid, Cisco Systems has found.

The finding comes shortly after technology companies and U.S. law enforcement banded together in a large operation to shut down a botnet that distributed online banking malware and so-called "ransomware," a highly profitable scam that has surged over the last year.

Cisco's investigation unraveled a technically complex and highly effective way for infecting large number of computers with ransomware, which it described in detail on its blog.

"It really is insidious," said Levi Gundert, a former Secret Service agent and now a technical lead for threat research and analysis at Cisco, in a phone interview Friday.

Cisco has a product called Cloud Web Security (CWS) which monitors its customers web surfing and reports if they are browsing to suspected malicious domains. CWS monitors billions of web page requests a day, Gundert said.

The company noticed that it was blocking requests to 90 domains, many of those WordPress sites, for more than 17 percent of its CWS customers, he said.

Further investigation showed that many of the CWS users were ending up on those domains after viewing advertisements on high-traffic domains such as "," "," "" and "," a Disney property, among many others.

Certain advertisements that appeared on those domains, however, had been tampered with. If clicked, they redirected victims to one of the 90 domains.

The style of attack, known as "malvertising," has long been a problem. Advertising networks have taken steps to try and detect malicious advertisements placed on their network, but the security checks aren't foolproof.

Occasionally, bad advertisements slip in, which are shown on a vast array of websites that have signed up with the network or its affiliates. The websites where the ads appear are often unaware they're being abused.

"It goes to show that malvertising is a real problem," Gundert said. "People expect when they go to a Tier 1 website that it is a trustworthy place to visit, but because there are so many third-party external links, that's not really true."

The 90 domains the malicious advertisements pushed traffic to had also been hacked, Gundert said. In the case of the WordPress sites, it appears the attackers used brute-force attacks -- which involves guessing login credentials -- to access the site's control panels. Then, an exploit kit called Rig was inserted, which attacked the victim's computer, Gundert said.

The Rig exploit kit, first spotted in April by Kahu Security, checks if users are running an unpatched version of Flash, Java or the Silverlight multimedia program. If someone's computer isn't patched, "you're instantly exploited," Gundert said.

In the next stage of the attack, a ransomware program called "Cryptowall," a relative of the infamous Cryptolocker malware, is installed. It encrypts the user's files, demanding a ransom. In another sign of the operation's sophistication, the website where users can pay the ransom is a hidden website that uses The Onion Router, or the TOR network.

To navigate to a TOR hidden website, a user must have TOR installed, which Cryptowall helpfully provides instructions for how to install. Those who delay paying the ransom find it increases as time passes.

Because of the use of TOR and the technically complex attack chain, Cisco hasn't yet been able to identify a group behind the attacks.

Gundert said it is likely that several groups or people with different skills -- such as malvertising, traffic redirection, exploit writing and ransomware campaigns -- are working together.

"You could have a threat actor putting together all of these pieces on their own, but there are so many different specialties involved in this attack chain," he said.

Send news tips and comments to Follow me on Twitter: @jeremy_kirk

Join the CSO newsletter!

Error: Please check your email address.

Tags Cisco SystemssecurityscamsExploits / vulnerabilitiesmalwareFacebook

More about CiscoCiscoFacebookWeb Security

Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Stories by Jeremy Kirk

Latest Videos

  • 150x50

    CSO Webinar: The Human Factor - Your people are your biggest security weakness

    ​Speakers: David Lacey, Researcher and former CISO Royal Mail David Turner - Global Risk Management Expert Mark Guntrip - Group Manager, Email Protection, Proofpoint

    Play Video

  • 150x50

    CSO Webinar: Current ransomware defences are failing – but machine learning can drive a more proactive solution

    Speakers • Ty Miller, Director, Threat Intelligence • Mark Gregory, Leader, Network Engineering Research Group, RMIT • Jeff Lanza, Retired FBI Agent (USA) • Andy Solterbeck, VP Asia Pacific, Cylance • David Braue, CSO MC/Moderator What to expect: ​Hear from industry experts on the local and global ransomware threat landscape. Explore a new approach to dealing with ransomware using machine-learning techniques and by thinking about the problem in a fundamentally different way. Apply techniques for gathering insight into ransomware behaviour and find out what elements must go into a truly effective ransomware defence. Get a first-hand look at how ransomware actually works in practice, and how machine-learning techniques can pick up on its activities long before your employees do.

    Play Video

  • 150x50

    CSO Webinar: Get real about metadata to avoid a false sense of security

    Speakers: • Anthony Caruana – CSO MC and moderator • Ian Farquhar, Worldwide Virtual Security Team Lead, Gigamon • John Lindsay, Former CTO, iiNet • Skeeve Stevens, Futurist, Future Sumo • David Vaile - Vice chair of APF, Co-Convenor of the Cyberspace Law And Policy Community, UNSW Law Faculty This webinar covers: - A 101 on metadata - what it is and how to use it - Insight into a typical attack, what happens and what we would find when looking into the metadata - How to collect metadata, use this to detect attacks and get greater insight into how you can use this to protect your organisation - Learn how much raw data and metadata to retain and how long for - Get a reality check on how you're using your metadata and if this is enough to secure your organisation

    Play Video

  • 150x50

    CSO Webinar: How banking trojans work and how you can stop them

    CSO Webinar: How banking trojans work and how you can stop them Featuring: • John Baird, Director of Global Technology Production, Deutsche Bank • Samantha Macleod, GM Cyber Security, ME Bank • Sherrod DeGrippo, Director of Emerging Threats, Proofpoint (USA)

    Play Video

  • 150x50

    IDG Live Webinar:The right collaboration strategy will help your business take flight

    Speakers - Mike Harris, Engineering Services Manager, Jetstar - Christopher Johnson, IT Director APAC, 20th Century Fox - Brent Maxwell, Director of Information Systems, THE ICONIC - IDG MC/Moderator Anthony Caruana

    Play Video

More videos

Blog Posts

Market Place