Skype users hit by ads spreading malicious Angler exploit kit

David bisson
David Bisson
@

Skype users hit by ads spreading malicious Angler exploit kit

Researchers recently spotted a malvertising campaign that used poisoned ads on Skype to redirect users to the Angler exploit kit.

Karmina Aquino, a security expert at F-Secure Labs, explains in a blog post how she and her colleagues came across something unusual while they were analyzing a malvertising campaign launched via the AppNexus ad platform (adnxs.com)

“One of the platforms for infection that we observed was Skype. It was interesting to note that having the ad displayed in a platform external to the browser did not mean that the browser was no longer accessible and thus the user could no longer be affected.”

Sign up to our free newsletter.
Security news, advice, and tips.

Ad urls

Further analysis revealed that the campaign leveraged ads posted on a number of other websites, including shopping sites (ebay.it), gaming forums (wowhead.com, gsn.com, zam.com, wikia.com), news sites (dailymail.co.uk), and online internet portals such as msn.com, to redirect users to a landing page for the Angler exploit kit.

In this particular campaign, Angler downloaded and infected each user with TeslaCrypt ransomware.

Teslacrypt

Karmina writes that the malvertising campaign ended soon after she and her fellow researchers detected it. But we would be remiss to think that we have seen the last of Skype-based malvertising attacks.

Indeed, the video chat technology, which uses a non-browser application to displays ads to users, has been leveraged by attackers to disseminate malicious ads for three years in a row.

Back in early 2014, a user posted to Bleeping Computer how researching a particular pop-up ad in Skype via Google Search revealed that the popular video chat software’s ad service had been compromised.

Approximately one year later, Skype users were exposed to a series of malicious ads that masqueraded as fake Adobe Flash, Java, and QuickTime updates.

This latest campaign clearly demonstrates that platforms that display ads, even when they are not the browser, are not immune from malvertising.

Skype adverts

With that in mind, it would be a good idea to install an ad-blocker to protect against those pesky browser-based apps. Installing an anti-virus solution will provide added protection if attackers decide to migrate their ads to non-browser applications.

In either scenario, it is best that you refrain from clicking on an ad, as you have no idea where it might take you.


David Bisson is an infosec news junkie and security journalist. He works as Contributing Editor for Graham Cluley Security News and Associate Editor for Tripwire's "The State of Security" blog.

3 comments on “Skype users hit by ads spreading malicious Angler exploit kit”

  1. Darren

    And this is why I use an ad-blocker. While it's robbing legitimate content producers of advertising revenue I still get a safer (and in many cases faster) web browsing experience when blocking ads.

    Good article, thanks for keeping us informed.

    1. coyote · in reply to Darren

      I'd say you shouldn't feel any sympathy whatsoever. The only ones who should have sympathy and more so should apologise (but I realise it's easier said than done because of the idiocy of laws which says apologising = guilty of some crime = can sue etc.) are those who insist on advertising despite the risks involved. But they typically won't do anything but whine.

      As for me, I only use skype because it's the only way I can communicate with some people. But I use Linux and the Linux skype is very limited including no adverts. I'd block them anyway though with or without an ad blocker (and there are many ways to do this).

  2. Generic commenter

    Some android phones seem to go out of their way to misinterpret a scrolling finger as a clicking finger.

What do you think? Leave a comment

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.