On March 15, 2015 tens of thousands of computers were infected with crypto ransomware and other malware after a malicious advertisements managed to slip onto mainstream websites such as the New York Times, BBC, MSN, and AOL.
It appears that visitors to the infiltrated websites were lured in by clickbait article titles and seemingly benign domain names that often included “media.” This particularly virulent malvertising campaign began a week ago, but it wasn’t until it cracked into these popular websites that the real damage was done. The campaign shows no signs of slowing as it migrates away from mainstream media sites into popular question forums such as answers.com and infolinks.com. So far the campaign has spread to Google, AppNexis, AOL, and Rubicon networks.
Currently we know only a little bit about the specifics of this attack. It appears it was designed using the tired and true “Angler” toolkit. As an Angler creation, it is designed to go after third party browser extensions such as Microsoft Silverlight and Adobe Flash. There haven’t been much details released about which specific ransomware and malware families are involved. However, SpiderLab has identified the Tesla Crypt. This family of ransomware is one of the latest to hit the internet and is known to infect Windows. So far the campaign has been traced back to domain names such as trackmytrafficc.biz, evangmedia.com, brentsmedia.com, talk915.pw, and shanjiamedia.com.
While this particular malvertising campaign is unmatched in the speed and spread of its attack, malvertising is nothing new. Malvertising campaigns cost an average of $8 billion every year in repair and recovery, and these campaigns show no sign of fading anytime soon. From January to June of 2015, malicious advertisements cost victims $525 million. The epidemic has gotten so bad that some experts are claiming that ad-blockers have become a necessity. Considering that the internet runs on revenue generate from ads, this is a very grave proclamation that underscores just how serious the malvertising threat is.
It’s still too early to tell if the current malvertising campaign will be more devastating than last year’s Fessleak malvertising campaign. The Fessleak campaign was created by a Russian criminal crew that used clickbait articles linked to the Charlie Hedbo terrorist attacks to infected countless computers. However, taking into the account the devastation this latest campaign has wrought in only 24 hours, it is very likely the current malvertising campaign will surpass the Fessleak attacks as the worst malvertising campaign on record.