Ad Networks are Great for Malware Distribution

Last week, several major news sites unwittingly served as malware mules.

When you visit a website, the publisher displays whatever their ad networks target for you. As the page loads, ad space is sold to the highest bidder on an exchange. Sometimes the highest bidder on New York Times’s network just happens to be a hacker serving ransomware.

They were using the Angler Exploit Kit, which is actually quite clever. Angler hides encrypted code in an innocuous-looking advertising image. The attackers send the private key to decrypt the malicious code only if they determine you to be a good target.

A GIF can contain embedded code.
A GIF can contain embedded code.

Remember how ad trackers create a digital fingerprint based on your browser version and installed plugins? The fingerprint script used here also tells attackers whether you have security software installed. They want to only attack vulnerable systems on residential networks, avoiding targets that look like security researchers who might blow their cover.

So if the fingerprint script decides you’re a good mark, it fetches the private key to decrypt the embedded code. The code runs and exploits some Java/Flash/IE vulnerability, and suddenly your hard drive is locked with a pop-up demanding Bitcoin.


The ransomware is designed to hit only once per IP address. This is to avoid reproducibility by security experts, but it also makes the ransomware similar to a tax. I wonder if ransomware will become the tax obligation that gives Bitcoin the price support it needs.

Block me if you can

Good thing we use Adblock Plus, right? Nope!

Google, Amazon, Microsoft, and Taboola paid the creators of Adblock to allow their ads to get through. And Google’s DoubleClick was one of the ad networks delivering this exact exploit kit.

According to Adblock, they whitelist “acceptable ads” that meet certain criteria. If you visit a lot of sketchy warez sites, you will recognize Taboola as the purveyor of pornographic popups. Apparently Adblock’s acceptability criteria is money. Adblock: It’s like ransomware for advertisers.

A security hole doesn’t disappear just because you outsource your problem to Adblock Plus. But you can better protect yourself by installing those stupid Java updates that pop up every few days. If that’s too annoying, you can always go back to using Lynx.

See Also:
1. Operation Fingerprint: A look into several Angler Exploit Kit malvertising campaigns –Malwarebytes
2. Don’t Hate the Ad, Hate the Ad-Tracker

4 thoughts on “Ad Networks are Great for Malware Distribution

Leave a Reply