August 27, 2014, 1:22 PM — Some visitors to several high-profile websites last week were redirected to browser exploits that installed malware on their computers because of malicious advertisements on those sites.
The attack affected visitors to Java.com, Deviantart.com, TMZ.com, Photobucket.com, IBTimes.com, eBay.ie, Kapaza.be and TVgids.nl between Aug. 19 and Aug. 22, according to researchers from Dutch security firm Fox-IT.
"These websites have not been compromised themselves, but are the victim of malvertising," the researchers said Wednesday in a blog post. "This means an advertisement provider, providing its services to a small part of a website, serves malicious advertisement aimed at infecting visitors with malware."
The rogue ads were distributed through AppNexus, a company that runs a real-time online advertising platform, and redirected visitors to an instance of the Angler exploit kit, according to the Fox-IT analysis. This attack tool can exploit vulnerabilities in outdated versions of Flash Player, Java and Microsoft Silverlight to silently install malicious programs on users' computers.
In this particular attack, hackers used the Angler exploit kit to install a variant of the Asprox botnet malware, the Fox-IT researchers said. "Asprox is a notorious spam botnet which has upped its game over these past few months by using the infected machines to perform advertisement clicking fraud."
While Asprox is primarily known for sending spam, the malware also has other malicious functionality including scanning websites for vulnerabilities and stealing log-in credentials stored on computers.
Similar attacks have been reported across various advertising networks and websites over the years and prompted an investigation by the U.S. Senate. This latest incident suggests that their sophistication is growing.
In this particular case, attackers took advantage of an online advertising practice known as retargeting to make their attack harder to detect. Retargeting involves leaving tracking data like cookies or other files inside users' browsers when they visit certain brand websites, so that they can later be shown ads about those brands on other sites.
"Clients were affected when they were retargeted due to having interesting tracking data," the Fox-IT researchers said via email. "Interestingly enough, this tracking data was used to deliver malicious content."