Update 08/14: The campaign has moved to another advertiser (AOL) and new Azure domain:
Malvertising URL:
imp.bid.ace.advertising.com/{redacted}pmcpmprice=0.545/{redacted}dref=http://www.ebay.com/sch/i.html?_nkw=jazzy+wheelchair+battery&_pgn=3&_skc=100&rt=nc
First redirection (Azure website):
v5tr34-a09.azurewebsites.net/?=a09vv5vtrkp
Second redirection:
mbiscotti.com/?Xz29TuVbablQc
Angler exploit kit:
abgzdbergzr.jeppe.iemooentypo.com/{redacted} abgzdbergzr.le9.anguoanti-malware.net/abgzdbergzr/{redacted}
Our telemetry captured this malvertising on eBay.com and the cost per thousand impressions (CPM) for this ad was $0.545. Visitors that were served that ad were redirected to the Angler exploit, known for dropping ransomware and ad fraud malware.
– – Original story —
The actors behind the recent Yahoo! malvertising attack are still very much active and able to infect people who browse popular websites.
We have been tracking this campaign and noticed that is has recently moved to a new ad network used by many top publishers.
- weather.com 121M visits per month
- drudgereport.com 61.8M visits per month
- wunderground.com 49.9M visits per month
- findagrave.com 6M visits per month
- webmaila.juno.com 3.6M visits per month
- my.netzero.net 3.2M visits per month
- sltrib.com 1.8M visits per month
Stats according to SimilarWeb.com
The malvertising is loaded via AdSpirit.de and includes a redirection to an Azure website. Note how both URLs are using HTTPS encryption, making it harder to detect the malicious traffic at the network layer.
Redirection chain
- Publisher’s website
- https://pub.adspirit.de/adframe.php?pid=[redacted]
- https://pr2-35s.azurewebsites.net/?=pr2-35s-981ef52345
- abcmenorca.net/?xvQtdNvLGcvSehsbLCdz
- Angler Exploit Kit
Malwarebytes Anti-Exploit users were protected against this attack.
We informed the ad network and although they did not immediately get back to us, the rogue advert was taken down.
Is it really any wonder that ad blockers are so popular? Instead of complaining about lost revenue the ad industry needs to reform itself. It really shouldn’t have to be a choice between supporting the ad sponsored sites I frequent (which I really want to be able to do) or rolling the dice on being served Cryptowall 3 by the Angler EK. They’ve had plenty of time to address this issue but instead of doing so they seem more concerned complaining about how unfair it is of us to use ad blockers.
You make some good points there. I think supporting free content is fine but not with the kind of risk it entails. People already hate ads, and we really didn’t need another incentive to block them.
The popularity of ad blockers may really force the ad industry’s hand to change how they go about advertising. It could be the use of new technologies that make malvertising harder or perhaps sponsored content where the advertiser is mentioned throughout the article in other ways than with a traditional ‘ad banner’.
Perhaps the ad networks might vet ads first?
As well as the risk for users, I think it’s unfair to the content producers too. Content producers can’t fix the problem themselves, the changes need to be made by the ad networks. And since even the large, reputable agencies are susceptible to malvertising attacks they can’t even vote with their wallets.
I like the idea of alternatives to banner ads. In fact, one of the few places that I think does ads absolutely right, the TWiT network, does this. They have the advantage of producing audio and video content which I think is probably easier to weave ads into than written content but it still shows that the concept is feasible.