Hackers Buy Ads to Install Malware

Last month, I was contacted by a client to help resolve some security issues on her website (brabbly.com) When I visited the site, there did not seem to be any underlying issues, except for multiple pop ups, which I thought were legitimate ads from the site.

However, I was wrong. On talking to the owner, I found out that the site does not have any ads enabled on the backend. Therefore, I though of the usual culprit; using a nulled theme.

But then again, she swore that she was using a clean them from MyThemeshop.

With the possibility of using a nulled theme out of the way, I set up to investigate. I randomly looked at the code of about 10 sample pages.  The pages did not seem to have anything. The content was okay, just discussing things such as no bounce sports bras, big boob problems, best bra for neck and shoulder pain, and other related topics. It’s a blog about women lingerie.

Well, since the theme wasn’t nulled and the site didn’t appear to be hacked, what could be the problem?

Read on to find out.

I have been waiting for this is happen for a while now. Jeremiah and I discussed this about a year ago while thinking about the fastest way to deploy malware across the web. Our idea was slightly different but the same principles apply, buy your way on to the big sites with ads or convince a site to install a widget/JS snippet.

In this attack the malware distributors purchased ad space on the doubleclick network, uploaded encrypted flash ads that then did drive by malware installs. Here is a video that shows what happens when one of these banners is displayed and attempts to install malware.

This is a very interesting attack but here is what a lot of people fail to realize. Ads, widgets, flash etc are all programs that execute in your browser. Once I source code from another source (like the youtube movie above) I have given up control of my webpage to a third party. Youtube could change that code to do something completely different tomorrow and the only recourse I have is to notice it and remove the code from my site. While removing the code that calls the YouTube video will remove the attack vector from my site, I (really my users) where exposed for the time it was available.The malware people are already thinking about this as well. As demonstrated in the video above, they are not attempting to infect everyone all the time but do it to some people some of the time. Pretty tricky eh?I fear this is only going to get worse. Hold on to your seats, it is going to get bumpy.


Leave a Reply

Your email address will not be published. Required fields are marked *