Malwarebytes is reporting an increase in malvertising coming from popular adult websites. The attack is taking advantage of the ExoClick ad network to push ads to sites. It adds to the evidence from other security companies that ad networks are failing to validate and regulate the ads they are serving up. Once reported to ExoClick by Malwarebytes, the company reports the ads concerned were taken down.
In the Malwarebytes press release it says: “Malicious actors are using pop-under ads (adverts that load in a new browser window under the current active page) to surreptitiously redirect users to the RIG exploit kit.” It goes on to say: “The ultimate payloads we collected during this time period were all the Ramnit information stealer (banking, FTP credentials, etc.) which despite a takedown in 2015 has rebounded and is quite active again.”
How does it work?
Pop-up ads appear over the top of the browser window. The user sees them and is aware that they exist. Pop-under ads are launched behind the main window and are meant to be hard for the user to detect. Once launched the ad redirects the user to a traffic distribution site that loads adult portals/offers via ExoClick. Malwarebytes reports that this is benign and carries no payload.
The next stage does the damage. It starts by loading a redirect page and then carries out a geolocation fingerprinting of the end-user device. If the user is in Canada or the UK it then attempts to load the RIG exploit kit. Users in other areas were redirected to a bogus offer rather than have the RIG EK loaded onto their machine.
Malwarebytes has listed the RIG EK domains and the IP addresses uses in this attack. They can quiakly be added to router tables by IT teams.
Malvertising is becoming an increasing threat to both users and organisations. Companies are happy to allow Ad Networks to serve them adverts because it allows them to earn revenue from their sites. What they do not do is their validation of the content and what the ads are doing. While this attack went after adult websites it would have been easy for the attackers to target other types of sites.
There is always a question as to why ExoClick failed to spot this attack. Given the constant malvertising campaigns over the last five years it should have its own processes to deal with this. We have emailed the ExoClick PR team for a statement and will add it when they respond.