Ads on Ebay and Drudge Report Were Coopted by Malware for Three Weeks

Another day, another malvertising campaign.

Sep 14 2015, 8:46pm

Image: Kazuhisa OTSUBO/Flickr

For three weeks, an online criminal gang used popular sites such as eBay, the Drudge Report and to try to infect millions of internet users in one of the longest malvertising campaigns ever seen, according to a security firm.

Using booby-trapped ads, commonly known as "malvertising," is quickly becoming the most common way for cybercriminals to infect internet users, because it's an extremely cheap way to infect thousands of users—a low-risk, high-reward type of game.

On the flip side, normally these campaigns have a short lifespan before they get detected—at least, that was the common assumption. But Malwarebytes, a security firm that's been tracking malvertising threats for months, has analyzed a campaign that lasted almost three weeks.

The fact that this operation kept going for so long, according to Jerome Segura, Malwarebytes' senior security researcher, is a reason for concern.

"There are a lot of campaigns that are going on that we're not aware of."

"This is a reminder to all of us in the security industry that there are a lot of campaigns that are going on that we're not aware of," he told Motherboard in a phone interview. "And it really makes us wonder, how much are we really seeing?"

This operation also showed that criminals are adjusting to all the attention malvertising is getting, finding new ways to make their actions stealthier and more durable, according to Segura. In this case, the criminals used ads that did not contain malicious code, but rather used various redirections to lead users to another page that tried to install the Angler Exploit Kit on their device.

All this happened in the background as the users browsed eBay or Drudge Report.

Segura said it's hard to estimate how many people actually got infected as a result of this campaign, but a recent Cisco Systems report estimated that 40 percent of people who get exposed to the Angler Exploit Kit get infected. The ads in this case were displayed on pages that attract millions of visitors, potentially putting millions of people in danger, though it's unclear how often the ads were displayed.

"The real problem is the fact that computers are vulnerable and are not patched."

Fighting against this type of malvertising is hard for the websites in question because they outsource parts of their pages to advertising networks, which often don't screen ads to check if they are secure. In any case, according to Segura, a malicious ad wouldn't be a problem if the potential victim did not have a vulnerable computer.

"At the end of the day, the problem isn't really in the ad itself," Segura said. "The ad is the vehicle to load the malware, but the real problem is the fact that computers are vulnerable and are not patched."