Incident Response, Malware, TDR

Malicious ads impact Java.com, TMZ and Photobucket site visitors, firm finds

A number of high-profile websites, including Java.com, TMZ.com and IBTimes.com, were impacted by a malvertising campaign which spread malware to online visitors.

According to Fox-IT, which blogged about the threat Wednesday, at least eight websites were found hosting poisoned ads, which were rigged to include the Angler exploit kit. EBay.ie, Photobucket.com, Kapaza.be, TVgids.nl, and Deviantart.com were also among the group of targeted sites.

Fox-IT observed the attacks on its clients between Tuesday and Friday of last week, the company revealed.

“Upon landing on this exploit kit, a few checks were done to confirm whether the user is running a vulnerable version of either Java, Flash or Silverlight,” the post said, detailing the attack. “If the user was deemed vulnerable, the exploit kit would embed an exploit initiating a download of a malicious payload. In this campaign it was the Asprox malware.”

In a Thursday interview with SCMagazine.com, Yonathan Klijnsma, cybercrime security expert at Fox-IT, said that it was later determined that a component of the Asprox botnet, called “Rerdom,” was being spread as one of the main malicious modules.

“[Rerdom causes] the infected computers to click on advertisements,” Klijnsma said, adding that the Windows malware allows scammers to “perform ad fraud on a large scale.”

Fox-IT noted that attackers targeted ad network AppNexus to poison the advertisements. In its blog post, the firm said that visitors didn't need to click on the malicious advertisements to be infected, as the attack occurred “silently in the background as the ad is loaded by the user's browser.”

In his interview, Klijnsma advised users to disable any browser plug-ins that are barely used, or to make sure they are updated if in use, to prevent similar attacks from occurring.

AppNexus addressed the issue on Friday, he added, and the firm has remained in contact with the advertiser to make sure the campaign is no longer active.

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms of Use and Privacy Policy.

You can skip this ad in 5 seconds