Malvertising maniac messes MSN, serves corrupted creative

Yahoo! appetiser, HuffPo for mains, and MSN for desert.

A chap who might just be the world's worst malvertising marauder has popped MSN, potentially compromising some of the site's 10 million daily visitors with an exploit kit so capable it p0wns almost half of those who encounter it.

The attacker, understood to be an individual dubbed Fessleak, smashed MSN after popping Yahoo!, The Huffington Post, and some 10 million visitors in a 10-day blitzkrieg against popular Asian websites.

“The same ad network AdSpirit.de which was recently abused in malicious advertising attacks against a slew of top media sites was caught serving malvertising on MSN.com,” says Jerome Segura of Malwarebytes.

“The incident occurred when people who where simply browsing MSN’s news, lifestyle or other portals were served with a malicious advertisement that silently loaded the Angler exploit kit and attempted to infect their computers.”

The malvertising guru says ad requests from AppNexus loaded the booby-trapped advertisment from AdSpirit and the subsequent malvertising chain.

Feature: Malware menaces poison ads as Google, Yahoo! look away.

Segura says the attack uses RedHat’s rhcloud.com cloud platform to redirect users to the Angler exploit kit, a change from leveraging Microsoft’s Azure.

The payload is likely advertising fraud or ransomware which is the hallmark drop of Angler. The malvertising attack has been reported and taken offline in what will do nothing in isolation to stop or even slow the actor.

Here's how the infection chain works:

  • msn.com/en-us/news/politics/dozens-of-clinton-emails-were-classified-from-the-start-us-rules-suggest/ar-BBlXPkl?ocid=iehp (publisher)
  • lax1.ib.adnxs.com/{redacted} (AppNexus ad network)
  • pub.adspirit.de/adframe.php?pid=7&ord=[timestamp]prdclick_0 (AdSpirit Ad network)
  • trkp-a1009.rhcloud.com/?tr28-0a22 (OpenShift redhat Redirection)
  • fox23tv.com/?cn67CuYcDcbvV (Same ad but with redirection to malicious URL)
  • abbezcqerrd.irica.wieshrealclimate.com (iframe to exploit kit)
  • hapme.viwahcvonline.com (Angler EK landing page)

®




Biting the hand that feeds IT © 1998–2018