Ad networks have shown to be effective tools in spreading malware to a large number of sites simultaneously. Attackers who manage to be accepted into a ad distribution service can possibly have millions of eyeballs on a malevolent ad for a fraction of the cost it would take to buy or build spam lists, for example.
Malware researchers at Blue Coat recently identified a large malware campaign, a component of which included malicious ads redirecting users to sites hosting the Blackhole exploit kit.
Sites such as the Los Angeles Times site, Salon, The Fiscal Times, Women’s Health magazine and US News including several others were hosting ads serving malware as recently as Aug. 23 before the campaign shut down, researcher Chris Larsen said. Many news sites and a number of popular online survey and quiz sites were also hosting malicious ads as part of this campaign.
“All of the sites it relayed traffic to were evil,” Larsen wrote in a blogpost this week. “Each of these was registered (anonymously) last year, lay dormant for at least eight months (almost a year, actually, in one case!), popped into life for a couple of days in August, relayed its share of the traffic, and then retired. It’s an impressively large (and patient!) malvertising operation.”
“The long hibernation time for these sites is very interesting,” Larsen wrote. “A second point of interest is how segmented this attack is — the Bad Guys managed to get each of these fake ad domains into a position of trust with a different target market, so that even if one were to be discovered, the overall attack could continue.”