As online advertising evolves to become more personalized and targeted, web surfers are increasingly lured to click on banners, pop-ups and video clips that match their interests. It hasn’t taken long for criminals to scent an opportunity in that, and click-fraud and malvertising continue to rise. Now, researchers have uncovered a rogue ad network deliberately embedding malicious redirection scripts into its Flash advertisements.
Malwarebytes senior security researcher, Jerome Segura, said that he suspects that the rogue agency is controlled by Russian cybercriminals. He dissected one of the ads and found that it leads victims to a page hosting an exploit kit known as RIG EK, which exploits Flash and installs a trojan (Trojan.Agent.ED).
“This particular ad may have been placed on a number of websites, big and small and leading to several thousand infections,” said Segura of one example, in his analysis.
Most rich ads are built with Adobe Flash, a technology that allows ads to be animated, play sounds and that can be interacted with. Segura explained that typically, someone who visits a website may look at the ad and, if interested, might click on it. Both the site owner and the advertising network will earn a commission for leading a potential customer to a brand/store.
In this case, it leads to an exploit kit. For the ad network, this is a double source of revenues: Ad impressions and pay-per-click revenue, as well as commissions per malware install.
“If you were a website owner and allowed this advertising network to insert its ads on your site you would be unknowingly (or not, if the owner is part of the scheme) infecting your visitors,” Segura said.
The malware is stealthy as well. To go unnoticed, the ad network employs several strategies: A benign redirection inside of the ad; the URL it is calling is not supposed to be known from anybody else; a check ignores debuggers and other non-compatible systems; and the redirection only happens once per IP address, making re-playability harder.
To protect against the issue, users should disable Flash or use tools like NoScript.
“As with any other lucrative business, there are going to be miscreants who try to abuse the system,” said Segura. “A study published by the Wall Street Journal shows that one third of all Internet traffic is bogus.”
He added, “At the end of the day, this is yet another case of malvertising.”