Last week, Eset Research posted a report about malware they had discovered which gathered information about infected computers and reported it back to the attack server. That, unfortunately, is not unusual. What is unusual about this exploit is the way it is delivered to the victim computer — the attack code is hidden inside an image that looks like an ad. It is interesting to see the clever way this was done, and also the development of the exploit over time. It is also important to note that the protection against this attack (as with so many other attacks) is simply keeping your software patched and up to date.
- Millions exposed to malvertising that hid attack code in banner pixels (Ars Technica | Dan Goodin) “The ads promote applications calling themselves ‘Browser Defence’ and ‘Broxu’ and targeted people who visited the news sites using Internet Explorer browsers. The script concealed in the pixels exploited a now-patched IE vulnerability indexed as CVE-2016-0162 to obtain details about the visitors’ computers. Among other things, the script checked for the presence of packet capture, sandboxing, and virtualization software and a variety of security products. Machines that didn’t exhibit signs of the software and contained a vulnerable version of Flash were then redirected to the exploit site, which would serve one of two families of malware.”
- Malicious online ads expose millions to possible hack (IT World | Michael Kan) “Hackers have used similar so-called malvertising tactics to secretly serve malicious coding over legitimate online advertising networks. It’s an attack method that has proven to be successful at quickly spreading malware to potentially millions.”
- Readers of popular websites targeted by stealthy stegano exploit kit hiding in pixels of malicious ads (Security Newspaper) “An earlier variant of this stealthy exploit pack has been hiding in plain sight since at least late 2014, when we spotted it targeting Dutch customers. In spring 2015 the attackers focused on the Czech Republic and now they have shifted their focus onto Canada, Britain, Australia, Spain and Italy. In the earlier campaigns, in an effort to masquerade as an advertisement, the exploit kit was using domain names starting with ‘ads*.’ and URI names containing watch.flv, media.flv, delivery.flv, player.flv, or mediaplayer.flv. In the current campaign, they have improved their tactics significantly. It appears that the exploit pack’s targeting of specific countries is a result of the advertising networks the attackers were able to abuse.”
Articles from Ohio Web Library:
- Cyber crime: 10 things every leader should know. (Director, Oct.2015, p.68-72 | Nick Scott)
- 5 immediate ways to fight cybercrime. (Fortune, 3/15/2016, p.44 | Verne Harnish)
- Threat and challenges of cyber-crime and the response. (SAM Advanced Management Journal, Spring 2016, p.4-10 | C. Alexander Hewes, Jr.)