Malicious, large-scale Google ad campaign slams users with malware
A large number of ads distributed by a Google advertising partner redirected users to Web-based exploits that attempted to install malware on users’ computers.
Security researchers from Dutch security firm Fox-IT observed the malvertising campaign Tuesday, when ads coming through a Google partner in Bulgaria called Engage Lab started redirecting users to the Nuclear Exploit Kit.
Exploit kits are Web-based attack platforms that try to exploit vulnerabilities in browsers and browser plug-ins in order to infect users’ computers with malware. The Nuclear Exploit Kit specifically targets vulnerabilities in Adobe Flash Player, Oracle Java and Microsoft Silverlight.
“It appears as if all of engagelab.com, its advertisement and zone ID’s, are currently redirecting to a domain, which in turn is redirecting to the Nuclear Exploit Kit, indicating a possible compromise at this reseller of Google advertisement services,” Fox-IT researcher Maarten van Dantzig said Tuesday in a blog post.
The rogue redirects stopped later in the day, suggesting that either Google or Engage Lab took action.
Google and Engage Lab did not immediately respond to requests for comment.
It’s unclear how many websites and users were affected, but according to Dantzig, Fox-IT “detected a relatively large amount of infections and infection attempts from this exploit kit among our customers.”
The Fox-IT researchers have yet to identify the specific malware program distributed through the campaign.
Malvertising has been a growing problem for years and despite large advertising networks claiming to have sophisticated defenses in place, attackers still find ways to bypass them.
These attacks are particularly dangerous, because users don’t need to visit obscure websites in order to get infected. Once attackers manage to push malicious ads onto a large advertising network, those ads get displayed on popular, generally trusted websites.
A 2014 investigation into malversting by the U.S Senate concluded that “the online advertising industry has grown in complexity to such an extent that each party can conceivably claim it is not responsible when malware is delivered to a user’s computer through an advertisement.”
That’s because a typical online advertisement goes through five or six intermediaries before being displayed in a user’s browser and it can be replaced with a malicious one at any point in that chain. Website owners also have no control over what ads will be displayed on their websites, the U.S. Senate said.
Report: Russian hackers accessed White House email
The State Department and the White House said late last year they had seen suspicious activity in their networks, though the White House said at the time only unclassified systems were affected. That may have been true, but it understated the sensitivity of the information accessed, CNN reported Tuesday, citing unnamed U.S. officials briefed on the investigation.
While the White House designates its email system as “unclassified,” it still contains sensitive information that could be valuable to foreign spies. The information accessed included real-time, non-public details about Obama’s schedule, CNN reported.
The Russian hackers used their earlier breach of the State Department’s network as a “perch” from which to access the White House computer systems, CNN said.
A spokesman for the White House’s National Security Council played down the significance of the CNN report, calling it speculation about a previously disclosed breach.
“Any such activity is something we take very seriously. In this case, as we made clear at the time, we took immediate measures to evaluate and mitigate the activity,” said spokesman Mark Stroh.
The National Security Council will not comment on CNN’s “attribution to specific actors, he said.
The White House does not believe its classified systems, which contain national security information, were compromised, White House Deputy National Security Advisor Ben Rhodes told CNN in an interview.
The earlier breach of the State Department is believed to have been carried out using a phishing email targeting a State Department email account.