• August 22, 2016

Held for Ransom: How Attackers Use Web Ads to Kidnap Data

Malvertising uses ads on legitimate mainstream sites to hack your system.

In the ceaseless costly struggle against cybersecurity threats comes a new menace. And it’s spreading rapidly. A number of popular and legitimate news sites, including the New York Times, The Hill, Newsweek, NFL.com, BBC, and the Weather Channel were victims of a malware attack earlier this year, and more are sure to follow.

The threat is called malvertising, and it’s a cybercrime that delivers malware or ransomware on a wide scale via ads displayed on webpages. The campaign began when hackers used the Angler toolkit to hijack ad networks from each of these sites to push infected banner ads. Angler exploits vulnerabilities in certain software.

Sites hosting the ads, as well as the networks distributing them, spread the malicious code unwittingly after it is injected into security system weak points. Even worse: This malware isn’t triggered by user actions such as clicking on ads, downloading toolbars, or resetting homepages. Ads automatically push the code into computer systems while users browse the morning headlines, check financial numbers, or watch a video—even if ad blockers are deployed.

The Rise of Ransomware

Ransomware malvertising is especially insidious. Hackers use malicious code to hijack computer systems, releasing them only after a bounty is paid. The tactic is spreading rapidly, as hackers exploit the proliferation of networked devices, sensors, and servers.

Back in February, Hollywood Presbyterian Medical Center in Los Angeles was hit by a ransomware attack that seized patient medical records, blocking access by medical staff until a $3.6 million ransom was paid. The hospital eventually shelled out $17,000 to get its files back. A month later, Methodist Hospital in Henderson, Kentucky, was hit with a ransomware attack that encrypted its computer system files. Hackers demanded a $1,600 ransom to release them.

Web-based threats like these have become so pervasive that it now seems any surfing by organizational staff poses a potential threat to enterprise networks. And while sophisticated firewalls and intrusion detection can effectively thwart damaging network breaches, they are much less effective at blocking threats through enterprise connections to the internet. According to a report by the Interactive Advertising Bureau and Ernst & Young, malvertising costs the digital advertising industry more than $1.1 billion annually. Costs are no doubt much higher when user systems and enterprise networks are taken into account.

In these most recent attacks on prominent media sites hackers acquired and exploited recently expired domain names from small advertising firms. By acquiring what were most likely legitimate domains, the attackers were able to slip through network checks because the traffic appeared legit.

Building Defenses

These attacks underscore the vital role smart browsing plays in maintaining a secure stance online. Users can reduce their attack surface by uninstalling porous browser tools like Adobe Flash, Oracle Java, and Microsoft Silverlight, if feasible for the work they do. In fact, it might be prudent to disable any plug-ins that aren’t absolutely necessary. Keep browsers up-to-date to ensure all known vulnerabilities are patched.

In addition, explore emerging third-party cloud-based web browsing services. These providers offload potentially dangerous internet traffic onto their own networks provisioning users only with a virtual browser interface. With simple browser hygiene, you won’t eliminate the malvertising/ransomware threat, but you can reduce your chances of being victimized by a debilitating attack.


Like this story? Read more about keeping your customers secure.