Readers of celebrity gossip site TMZ hit by malvertising campaign

TMZ website

The celebrity gossip website TMZ has become the latest victim of an ongoing malvertising campaign that redirects visitors to the malicious Angler exploit kit.

Last month, Malwarebytes security researcher Jérôme Segura published a blog post in which he explains how he had and his colleagues successfully spotted a malvertising campaign targeting Rotten Tomatoes, Jerusalem Post, LifeBuzz, and other publishers:

"We’ve found out that most of the rogue advertisers are leveraging the CloudFlare infrastructure to hide their backend server and encrypt their traffic as well, along with using anonymous proxy registration details for the domain."

When a user lands on the ad page, the malicious code initiates a series of scans to check for various vulnerabilities and other conditions on the victim's computer. If those conditions are met, the user is then redirected to a landing page for the Angler exploit kit, which can download various malicious attacks onto a user's computer.

AnglerFor the online criminals who wish to leverage a malvertising campaign, the costs are small compared to the rewards they can potentially reap by gaining access to a victim's computer.

In these particular attacks, a malicious ad costs only $0.14 per one thousand impressions (CPM). This price ratio demonstrates just how cheap malvertising can be.

Not only that, but malvertising appeals to attackers for its flexibility. Computer criminals can always leverage the same infrastructure to create new fake profiles through which they can push new ads.

This is exactly what has happened in the case of these particular attacks.

Just one week after Segura first reported on the malvertising campaign targeting Rotten Tomatoes, he has now revealed how the celebrity gossip website TMZ has become the latest site to be exploited:

"The same ad chain pattern from ContextWeb (PulsePoint) to Smarty Ads and eventually various rogue advertisers can be observed. The latter are leveraging cloud security provider CloudFlare's infrastructure to hide their server's real location as well as encrypt the ad delivery."

Flow

Each malicious ad served via the TMZ site costs $0.19 - a few cents more than with Rotten Tomatoes, but still incredibly cheap for a campaign that has the potential to infect thousands of users with malware.

Anti-DDoS mitigation service CloudFlare is currently looking into Segura's findings, and Malwarebytes says it is currently awaiting a response from ContextWeb.

While researchers take a closer look into this malvertising campaign, I urge users to please be careful when clicking on ads - even those found on reputable websites.

It might be in your best interest to activate an ad blocker browser extension to help protect you against annoying and/or malicious ads. Also, please remember to update your software and implement patches as soon as possible, to reduce the chances of your computer having an exploitable vulnerability.

Simple security steps like these gives you a better chance of not being struck by an exploit kit in the event that you are encounter a malvertising campaign.

Tags: , , ,

Smashing Security podcast
Check out "Smashing Security", the new weekly audio podcast, with Graham Cluley, Carole Theriault, and special guests from the world of information security.

"Three people having fun in an industry often focused on bad news" • "It's brilliant!" • "The Top Gear of computer security"

Latest episode:

, , ,

2 Responses

  1. Elliot Alderson

    February 5, 2016 at 10:54 pm #

    I never click on ads. all ads suck! just like TMZ, that Piccadilly Circus Hollywierd Freak Show is nothing but ads.

    firefox + adblock plus + noscript + HTTPS Everywhere + Privacy Badger = no crap ads

    internet explorer 11 + adblock plus = no crap ads

    and of course either Microsoft Security Essentials
    http://windows.microsoft.com/en-us/windows/security-essentials-download
    or any anti-virus suite either free or paid for as well as constantly updating the definitions of such suite.

    it's as simple as driving a car, but if you can't even maintain your car, then you shouldn't be allowed to have one of those either. you shouldn't use google chrome browser either, because it's spyware in disguise.

  2. coyote

    February 6, 2016 at 1:14 am #

    'Not only that, but malvertising appeals to attackers for its flexibility.'

    Don't forget it's a canned attack. It's even more pathetic in that they're paying for this. This won't change their thinking, of course, but the fact attacks are sold makes things much worse – and governments participating should be even more ashamed of themselves. Ashamed of themselves for not only participating but also harming more devices (and potentially causing the owners much grief and potentially ruining lives) which makes the Internet less safe (and it's not like the Internet is safe to begin with – it never has been and never will be). Worse still, they are encouraging the (other) criminals into continuing their deeds.

Leave a Reply