The celebrity gossip website TMZ has become the latest victim of an ongoing malvertising campaign that redirects visitors to the malicious Angler exploit kit.
Last month, Malwarebytes security researcher Jérôme Segura published a blog post in which he explains how he had and his colleagues successfully spotted a malvertising campaign targeting Rotten Tomatoes, Jerusalem Post, LifeBuzz, and other publishers:
“We’ve found out that most of the rogue advertisers are leveraging the CloudFlare infrastructure to hide their backend server and encrypt their traffic as well, along with using anonymous proxy registration details for the domain.”
When a user lands on the ad page, the malicious code initiates a series of scans to check for various vulnerabilities and other conditions on the victim’s computer. If those conditions are met, the user is then redirected to a landing page for the Angler exploit kit, which can download various malicious attacks onto a user’s computer.
In these particular attacks, a malicious ad costs only $0.14 per one thousand impressions (CPM). This price ratio demonstrates just how cheap malvertising can be.
Not only that, but malvertising appeals to attackers for its flexibility. Computer criminals can always leverage the same infrastructure to create new fake profiles through which they can push new ads.
This is exactly what has happened in the case of these particular attacks.
Just one week after Segura first reported on the malvertising campaign targeting Rotten Tomatoes, he has now revealed how the celebrity gossip website TMZ has become the latest site to be exploited:
“The same ad chain pattern from ContextWeb (PulsePoint) to Smarty Ads and eventually various rogue advertisers can be observed. The latter are leveraging cloud security provider CloudFlare’s infrastructure to hide their server’s real location as well as encrypt the ad delivery.”
Each malicious ad served via the TMZ site costs $0.19 – a few cents more than with Rotten Tomatoes, but still incredibly cheap for a campaign that has the potential to infect thousands of users with malware.
Anti-DDoS mitigation service CloudFlare is currently looking into Segura’s findings, and Malwarebytes says it is currently awaiting a response from ContextWeb.
While researchers take a closer look into this malvertising campaign, I urge users to please be careful when clicking on ads – even those found on reputable websites.
It might be in your best interest to activate an ad blocker browser extension to help protect you against annoying and/or malicious ads. Also, please remember to update your software and implement patches as soon as possible, to reduce the chances of your computer having an exploitable vulnerability.
Simple security steps like these gives you a better chance of not being struck by an exploit kit in the event that you are encounter a malvertising campaign.
Found this article interesting? Follow Graham Cluley on Twitter to read more of the exclusive content we post.