A wave of malware is hitting online advertising this week with the latest report of hackers buying ads and then loading Rig 3.0, a service that reports back whether a person’s computer is vulnerable and then loads a Trojan. This malware has reportedly infected 1.3 million people already. Adding to that hackers have infected Yahoo’s Ad Network to infect devices with Angler exploit kits – a particularly virulent form of malware. The affected websites include Yahoo.com and its related news, sport, and celebrity gossip pages.
Lane Thomas, Security Research and Software Development Engineer of Tripwire says, these latest hits reflect the bad state of security within the web and shows how HTTPs is not the whole answer to protecting a website.
Lane Thomas, Security Research and Software Development Engineer of Tripwire :
“This type of attack scenario shows just how bad our state of security within the web is; unfortunately, it is in a very bad state. I laugh out loud when I hear folks say: “All you need to do to secure your web site is run HTTPS.” This is so, so far from the truth. That’s not to say that HTTPS cannot help us. Indeed, it is a very critical technology, but it can’t do anything to stop these types of malvertising campaigns.
“Malvertising campaigns exploit a number of systemic weaknesses within the web’s ecosystem. These campaigns target verification and validation weaknesses in the ad networks and platforms. Then, after successfully gaining access to these ad systems, the associated attackers take advantage of scale and lax patching. Scale is an issue here because one successful penetration of an ad system leads to huge payoff in terms of the total number of victims who can be attacked via malicious ads. The final problem, which is where the exploit kit aspect of this problem wins, is due to massive amounts of lax software patching. Exploit kits focus largely on vulnerabilities in Adobe Flash, Java, and Silverlight along with vulnerabilities in the core web browsers themselves, and exploit kits thrive because so many end users don’t keep their software patched and updated.
“What does all this mean? The web is in a poor state of security, and there is no single person or system to blame. In terms of malvertising, there are two areas that we must focus on. First, ad networks and platforms need to enhance their verification and validation processes. Attackers have a huge incentive to penetrate these systems. Further, ad networks and platforms have a lot to lose in terms of consumer trust. If large scale malvertising campaigns such as this continue, consumers will lose more and more trust in these ad services, which can ultimately lead to financial losses for the ad organization. Second, end users need to be vigilant when clicking advertising links and should always keep their software patched and updated.”