What do the NY Times, the BBC, Newsweek, The Hill, MSN, AOL, the Weather Network, the NFL, and Realtor.com all have in common? Their popular websites recently served up ads that stealthily try to infect visitors computers with ransomware and other nastiness. The advertisements may have exposed multiple thousands of visitors over the day or so they ran before being noticed.
The ads were provided from two domains through big services including Google, AppNexus, AOL and Rubicon, who were tricked somehow into placing them. The campaign started experimenting with smaller targets and toolkits last week. Then it upgraded to the biggest sites and began using the Angler suite of exploits. If holding your data hostage wasn’t bad enough, it also downloads several trojan viruses also.
The only good news in all this is that the compromised site first looks for a long list of security products and tools on the visitor’s computer that it wishes to avoid. Only if none are found will it then send out the infected advertisement with the rest of the webpage.
As browser add-ons like Adobe Flash, Microsoft Silverlight, and Java are targeted by the Angler toolkit, it’s a good idea not to use them unless absolutely needed. And also, to keep your antivirus programs up to date. And above all, back up everything.
This applies to Mac owners, too. Just last week the very first Macintosh-targeting ransomware was discovered. Concealed in version 2.90 of cross-platform torrent client, Transmission, it targets OS X and uses a valid signed Apple app development certificate, therefore bypassing normal Apple defenses. Users are warned to upgrade to Transmission version 2.92 immediately to remove it. The bad guys charge $400, and as always, it’s never certain that they will keep their end of the deal, or as in the case of the latest attack, not conceal other viral bombs in the data.
The corrupted code was only up for a day, and it is unknown how many people could have been infected. But as Apple has been almost magically immune to all kinds of malware before now, this may be the start of a disturbing new trend.