Angler exploit kit targets up to 156 million UK Daily Mail readers in malvertising spree

[Karamjit]

The infamous Angler exploit kit has been striking up to 156 million Daily Mail readers a month.

The Angler exploit kit has compromised the Daily Mail's online domain, potentially exposing up to 156 million readers a month to malicious advertising.

Malvertising is a persistent problem for online domains who rely on advertising revenue to stay afloat. In order to increase the click-through rates of ads -- increasing revenue for domain owners -- third-party networks often tailor advertising you see based on data such as search history or topics of interest.

These advertising networks are commonly used by popular websites which reach millions of users a month, making them a potentially lucrative attack vector for cybercriminals looking to compromise your systems.

Known as malvertising, attackers will pay for adverts to be displayed on web domains which link to malicious domains. If a victim clicks through, they are potentially exposing themselves to malware payloads, PC compromise and may also be enticed to submit their sensitive data if they believe themselves to be on a legitimate website.

While controls are in place to filter these ads and stop them from becoming part of an advertising ecosystem, unfortunately, some will inevitably slip through the net.

On Tuesday, cybersecurity firm Malwarebytes disclosed in a blog post that the "sophisticated" attack, previously documented as targeting eBay and Yahoo, has now turned its attention to the Daily Mail, a popular UK-based news publication which accounts for millions of monthly visitors.

As with many other online publications, advertisers bid to win prominent display panels on a website page. The Malwarebytes security team discovered that a group of cyberattackers had won one of these auctions, sending an advert to be displayed close to the Daily Mail toolbar. If clicked, this advert then users were sent to a fake advertising server -- supported by Microsoft's Azure platform -- which led to the Angler exploit kit.

The malware then fired known Internet Explorer and Adobe Flash Player exploits to the victim's system.

If the victim's PC was not fully patched and up-to-date, vulnerabilities in IE and Adobe Flash player allowed the exploit kit to infect the system, which then received a nasty payload of ransomware known as CryptoWall.

Unfortunately for users, once this ransomware has infected a system, files are encrypted and a 'ransom' payment in Bitcoin is demanded if victims wish to unlock their systems.

Source