Freeware Files | Download Free Software

Sunday, 15 June 2014 00:00

Malicious advertisements on major websites lead to ransomware

Rate this item
(0 votes)

Malicious advertisements on domains belonging to Disney, Facebook, The Guardian newspaper and others are leading people to malware that encrypts a computer’s files until a ransom is paid, Cisco Systems has found.

The finding comes shortly after technology companies and U.S. law enforcement banded together in a large operation to shut down a botnet that distributed online banking malware and so-called “ransomware,” a highly profitable scam that has surged over the last year.

Cisco’s investigation unraveled a technically complex and highly effective way for infecting large number of computers with ransomware, which it described in detail on its blog.

“It really is insidious,” said Levi Gundert, a former Secret Service agent and now a technical lead for threat research and analysis at Cisco, in a phone interview Friday.

Cisco has a product called Cloud Web Security (CWS) which monitors its customers web surfing and reports if they are browsing to suspected malicious domains. CWS monitors billions of webpage requests a day, Gundert said.

The company noticed that it was blocking requests to 90 domains, many of those WordPress sites, for more than 17 percent of its CWS customers, he said.

Further investigation showed that many of the CWS users were ending up on those domains after viewing advertisements on high-traffic domains such as “,” “,” “” and “,” a Disney property, among many others.

Certain advertisements that appeared on those domains, however, had been tampered with. If clicked, they redirected victims to one of the 90 domains.

The problem with malvertising

The style of attack, known as “malvertising,” has long been a problem. Advertising networks have taken steps to try and detect malicious advertisements placed on their network, but the security checks aren’t foolproof.

Occasionally, bad advertisements slip in, which are shown on a vast array of websites that have signed up with the network or its affiliates. The websites where the ads appear are often unaware they’re being abused.

“It goes to show that malvertising is a real problem,” Gundert said. “People expect when they go to a Tier 1 website that it is a trustworthy place to visit, but because there are so many third-party external links, that’s not really true.”

The 90 domains the malicious advertisements pushed traffic to had also been hacked, Gundert said. In the case of the WordPress sites, it appears the attackers used brute-force attacks—which involves guessing login credentials—to access the site’s control panels. Then, an exploit kit called Rig was inserted, which attacked the victim’s computer, Gundert said.

How the Rig exploit kit works

cryptowall The Rig exploit kit, first spotted in April by Kahu Security, checks if users are running an unpatched version of Flash, Java or the Silverlight multimedia program. If someone’s computer isn’t patched, “you’re instantly exploited,” Gundert said.Cisco has linked a highly effective attack using a ransomware program called Cryptowall to malicious advertisements seeded on major websites. (Click to enlarge.)

In the next stage of the attack, a ransomware program called “Cryptowall,” a relative of the infamous Cryptolocker malware, is installed. It encrypts the user’s files, demanding a ransom. In another sign of the operation’s sophistication, the website where users can pay the ransom is a hidden website that uses The Onion Router, or the TOR network.

To navigate to a TOR hidden website, a user must have TOR installed, which Cryptowall helpfully provides instructions for how to install. Those who delay paying the ransom find it increases as time passes.

Because of the use of TOR and the technically complex attack chain, Cisco hasn’t yet been able to identify a group behind the attacks.

Gundert said it is likely that several groups or people with different skills—such as malvertising, traffic redirection, exploit writing and ransomware campaigns—are working together.

“You could have a threat actor putting together all of these pieces on their own, but there are so many different specialties involved in this attack chain,” he said.


Subscribe via RSS or Email:

Read 2333 times Last modified on Sunday, 15 June 2014 17:57


0 #1 Michael A 2014-06-16 15:19
Why they do not shut down the company that provides the faulty patchwork systems that make such malware first possible?
No, not because of a faulty system, because of an incomplete system. A system that is not providing any software out of the box and relies on third party software without the slightest chance to check it's quality make users used to install on daily base desperately needed stuff to keep the system running. They easily oversee in that process the one time out of hundreds when they install something malicious.
A proper system is not only complete out of one hand, but the installation of any software can be done by the sysadmin only. In such environment such malware has no chance. On the other hand, someone who do not mind to pay for something he can get in better quality for free will not get hurt by some ransom
  1. Latest News
  2. Most Popular
  3. Top Rated
  4. Latest Comments
  • Michael A
    Why they do not shut down the company that provides the faulty patchwork systems that make such malware first possible? No, not because of a faulty ...


  • Moubreb
    The people at any router between You and facebook can read Your communication if: 1. You're using an http: connection 2. A fake facebook certificate ...


  • theoctagon
    You could always just use what's already baked in: Android Device Manager.


  • Michael A
    AFAIR the patch was available one day after the discovery of heartbleed. That normal with Free Software. Only mislead users of commercial scrap have ...



Quick Search

Powered by Liquidtroll
Prev Next

Pwn2Own: Chrome, Firefox And IE Broke Into Hacking Contest

13-03-2013 Hits:2034 Hacking Georgina K. - avatar Georgina K.

Pwn2Own: Chrome, Firefox And IE Broke Into Hacking Contest

The three browsers proved that they had a number of bugs and security holes. During the first day of Pwn2Own hacking contest held in Vancouver of Canada, the three popular browsers,...

Ubisoft: Assassin's Creed 3

10-04-2013 Hits:1356 Games Panagiotis K. - avatar Panagiotis K.

Ubisoft: Assassin's Creed 3

The Assassin's Creed III is the third official capital of the homonymous series and fifth overall game was released for PC and consoles. After three episodes of Assassin's Creed II, Ubisoft...

Secure Files in your USB Flash Drive

24-12-2012 Hits:1845 How To George Q - avatar George Q

Secure Files in your USB Flash Drive

Encrypt your files with the help of secure AES 256 on a portable USB flash drive with the equally portable application USB Safeguard. The USB flash drives are the perfect way...

Avira's blundern disables large number of computers around the world

17-05-2012 Hits:3448 Security Vasia L. - avatar Vasia L.

Avira's blundern disables large number of computers around the world

The German company Avira which is well known for its antivirus products, have won great number of consumers in the last two years. However, a recent update, had a very adverse...

How to Protect my Children On the Digital World

07-02-2013 Hits:2684 Security Panagiotis K. - avatar Panagiotis K.

How to Protect my Children On the Digital World

Before you let your child walk alone in a big city, he must have a certain age and he have to learn some things. So every parent needs to possess relevant...