Large advertising-based cyberattack hit BBC, New York Times, MSN

The attack bypassed the security systems of many online advertising companies, putting users at risk of being infected with ransomware

Major websites including the BBC, Newsweek, The New York Times and MSN ran malicious online advertisements on Sunday that attacked users' computers, a campaign that one expert said was the largest seen in two years.

The websites weren't at fault. Instead, they are unwitting victims of malvertising, a scheme where cyberattackers upload harmful ads to online advertising companies, which are then distributed to top-tier publishers.

Tens of thousands of computers could have been exposed to the harmful advertisements on Sunday, which means some running vulnerable software may have been infected with malware or file-encrypting ransomware.

Some bad ads were still appearing on some websites including the BBC on Monday, said Jerome Segura, a senior security researcher with Malwarebytes, in a phone interview Tuesday.

The advertisements connected with servers hosting the Angler exploit kit. The kit tries to find software vulnerabilities on a computer in order to deliver malware.

A successful exploit could deliver ransomware, a type of malware that encrypts a computer's files. Victims are asked to pay a ransom, usually in bitcoin, in order to get the decryption key and restore their systems.

Trend Micro wrote about the same attack on Monday. Segura said he delayed publishing a blog post while he contacted major advertising networks, including Google's DoubleClick, Rubicon, AOL and AppNexus, to get the malicious advertisements removed. He published a post on Tuesday.

Some of the offending ads have been removed, but not all. He decided to go public despite not getting acknowledgment from some online advertisers.

Josh Zeitz, vice president of communications for AppNexus, said via email on Tuesday that the advertiser that placed the bad ad had been "deactivated" soon after the company was notified by Segura. The bad ad had not been placed directly through AppNexus, but instead came from a third party, Zeitz said.

AppNexus has an anti-malware detection system called Sherlock it uses to screen ads and also uses a filtering product from a third-party vendor, Zeitz wrote.

"We devote considerable financial resources to safeguarding our customers," Zeitz wrote. "Unfortunately, bad actors also invest considerably in developing new forms of malware."

Officials at Google, Rubicon and AOL couldn't immediately be reached for comment.

It is rare to see a malvertising campaign affect so many different online advertising companies at the same time, Segura said.

"These are the top ad networks in the world," he added. "For some reason, they were all affected. It was shocking to be honest."

He contacted the advertising companies on Sunday, but some did not reply until Monday morning and others later.

"Some of them I had to ask again, and I heard from them on Monday night," Segura said. "The response time on a weekend is definitely reduced."

Malwarebytes detected the attack through users who use its Anti-Exploit software. If someone using Malwarebytes' software went to The New York Times and encountered a malicious ad, the attack would be blocked and also reported to Malwarebytes.

"That's how we are able to say this is where it happened," Segura said.

The large attack on Sunday was presaged by a smaller attack on Friday using a different exploit kit called Rig. Segura theorized that the smaller attack, which still hit some major publishers, may have been a test run for the larger one on Sunday, which he said was 10 times the size normally seen.

Malvertising has proven tough to stamp out. Online advertising companies use a variety of security tools to try and catch malicious ones, but they're far from foolproof.

Also, the byzantine relationships between ad-serving companies and the highly automated way online ads are sold and delivered provides ample opportunity for miscreants to get malicious ones circulating.

"It's hard to imagine, but a lot of the ad networks don't know each other very well and yet they're doing business with each other," Segura said.

The path an ad takes before it is loaded onto Web page is often a long trail of companies that have an ad-related business relationships. Since advertising slots are often sold through real-time bidding, speed is also a factor.

For example, the first request for an ad to be delivered to The New York Times' website might come from Google's DoubleClick servers, Segura said. But the actual ad may come from further down a long chain, and Google may not "always know who is responsible," Segura said.

"That's a bit of a problem," he said.

Join the CSO newsletter!

Error: Please check your email address.

More about AOLAppNexusDoubleClickGoogleMalwarebytesMSNTrend Micro

Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Stories by Jeremy Kirk

Latest Videos

  • 150x50

    CSO Webinar: The Human Factor - Your people are your biggest security weakness

    ​Speakers: David Lacey, Researcher and former CISO Royal Mail David Turner - Global Risk Management Expert Mark Guntrip - Group Manager, Email Protection, Proofpoint

    Play Video

  • 150x50

    CSO Webinar: Current ransomware defences are failing – but machine learning can drive a more proactive solution

    Speakers • Ty Miller, Director, Threat Intelligence • Mark Gregory, Leader, Network Engineering Research Group, RMIT • Jeff Lanza, Retired FBI Agent (USA) • Andy Solterbeck, VP Asia Pacific, Cylance • David Braue, CSO MC/Moderator What to expect: ​Hear from industry experts on the local and global ransomware threat landscape. Explore a new approach to dealing with ransomware using machine-learning techniques and by thinking about the problem in a fundamentally different way. Apply techniques for gathering insight into ransomware behaviour and find out what elements must go into a truly effective ransomware defence. Get a first-hand look at how ransomware actually works in practice, and how machine-learning techniques can pick up on its activities long before your employees do.

    Play Video

  • 150x50

    CSO Webinar: Get real about metadata to avoid a false sense of security

    Speakers: • Anthony Caruana – CSO MC and moderator • Ian Farquhar, Worldwide Virtual Security Team Lead, Gigamon • John Lindsay, Former CTO, iiNet • Skeeve Stevens, Futurist, Future Sumo • David Vaile - Vice chair of APF, Co-Convenor of the Cyberspace Law And Policy Community, UNSW Law Faculty This webinar covers: - A 101 on metadata - what it is and how to use it - Insight into a typical attack, what happens and what we would find when looking into the metadata - How to collect metadata, use this to detect attacks and get greater insight into how you can use this to protect your organisation - Learn how much raw data and metadata to retain and how long for - Get a reality check on how you're using your metadata and if this is enough to secure your organisation

    Play Video

  • 150x50

    CSO Webinar: How banking trojans work and how you can stop them

    CSO Webinar: How banking trojans work and how you can stop them Featuring: • John Baird, Director of Global Technology Production, Deutsche Bank • Samantha Macleod, GM Cyber Security, ME Bank • Sherrod DeGrippo, Director of Emerging Threats, Proofpoint (USA)

    Play Video

  • 150x50

    IDG Live Webinar:The right collaboration strategy will help your business take flight

    Speakers - Mike Harris, Engineering Services Manager, Jetstar - Christopher Johnson, IT Director APAC, 20th Century Fox - Brent Maxwell, Director of Information Systems, THE ICONIC - IDG MC/Moderator Anthony Caruana

    Play Video

More videos

Blog Posts

Market Place