Crooks made about 65 BTC ($25,000 / €19,700) per day

Oct 23, 2014 14:50 GMT  ·  By

Malicious advertisements made it to high-traffic websites, among them Yahoo, AOL, Match.com and 9gag, and exposed as many as three million visitors on a daily basis to CryptoWall 2.0, a ransomware with file encryption capabilities.

The way malvertising works involves a malicious online ad being inserted in an ad network, which pushes it to client websites. In many cases, users get different ads, depending on their location and observed online interests, making the attack more difficult to detect.

Moreover, the payload is funneled on the target computer with no visible indication of the website being compromised, via drive-by download.

High-profile websites targeted

In the recent campaign observed by Proofpoint, the attackers relied on FlashPack Exploit Kit to take advantage of vulnerabilities in Adobe’s Flash Player and execute CrytoWall 2.0 on the computer.

The ransomware piece encrypts the information on the hard disk and displays a ransom note at the end of the process, informing that a fee has to be paid for the victim to receive the decryption key.

Security experts are against paying the money because this would encourage cybercriminals to use this kind of blackmail in the future, and more importantly, there is no guarantee that the key is received after the money is paid.

The best defense is to take proactive measures and create a backup copy of the storage unit, or at least the most important data on it, and store it in a safe location, not connected to the computer; otherwise, the backup can also get encrypted.

The websites impacted in this attack are highly ranked on Alexa, and apart from the aforementioned owners, the list also includes The Sydney Morning Herald, The Age, iPhone for Hong Kong and Flirchi.

Cybercriminals could have made off with more than $750,000 / €593,000

Proofpoint provides a list of 22 websites that have been serving malicious advertisements to their visitors; the company first noticed signs of malicious activity in late September, and since then, it worked with partners to shut down the illegal operation. The last detected issue was last week, on October 18, a Proofpoint report reveals.

Important to note is that the websites themselves have not been compromised, but the networks pushing the ads. According to the researchers, the cybercriminals made an estimated $25,000 / €19,700 per day in Bitcoion crypto-currency (~65 BTC).

The total amount generated through this campaign could be of about $750,000 / €593,000 because the incident is estimated to have lasted for at least 30 days.

The security company observed at least three major ad network members delivering malvertisements to website publishers: Rubicon Project, Right Media / Yahoo Advertising and OpenX.

“In all cases, the attacker did not devise their own ‘creative’ (that is, images and ad copy), but instead stole them from around the web. As noted above, there is no indication that the sites for the brands whose ads were stolen – including Microsoft Bing, Fancy, and Case Logic – were compromised or otherwise involved in the malvertising campaign. In this regard, these companies are exposed to brand damage just as the sites that included malicious content from ad networks,” Proofpoint notes.