Malvertising reaches record levels in June
The company monitors over 2 million endpoints for suspicious activity. Not only is there more malvertising than before, from more high-profile sites, but most of the malware was new to antivirus vendors.
[ ALSO ON CSO: GameZone, Huffington Post hit by malvertising attack ]
According to Pat Belcher, the company's director of malware analysis, what happens is that the criminals actually bid for the prime advertising slots, though they probably pay for them with stolen credit card numbers.
Then they use zero-day Adobe exploits to install clickfraud, botnet, ransomware, and banking Trojan malware.
And the attackers don't stop with just one type of infection, he added.
"We have seen instances where the initial infection delivers clickfraud malware and then, say, two days later, it will encrypt the hard disk," he said.
The reason is that advertising companies have been coming down hard on clickfraud, and will blacklist machines when they spot them. That makes the machines useless for clickfraud, so the fraudsters move on to something else.
"It's a dirty, dirty trick," Belcher said. "I'm going to use you for all you're worth, then you're going to pay me for the privilege of me letting you use your computer again."
Keeping patches up to date and avoiding suspicious sites aren't effective strategies against these guys. Not only do they go after brand-name, popular websites, but they are also using zero-day exploits.
"Most of the malvertising that we saw in June appears to be delivered by an exploit kit using the latest Adobe zero day," Belcher said.
Adobe released a patch last week for June's zero days, he said -- but the attackers have already found three new zero days, and have already updated their exploit kits.
The specific websites serving up the malware included Drudgereport.com, CBSSports.com, Yahoo.com, Livestrong.com, eBay UK, Verizon FiOS homepage, PerezHilton.com, ViralNova.com and Glenn Beck's TheBlaze.com.
The websites themselves were not hacked and, for the most part, the publishers were unaware of the malicious activity, according to Belcher, as the criminals got in through the advertising networks.
However, there were also other websites that were attacked directly, mostly as a result of known flaws in Wordpress themes and plugins, and were used to deliver malware as well.
Another tactic that is becoming more common with attackers is that of "sleeper" malware, which lies dormant after download for 14 hours or longer, in order to evade network sandboxes looking for suspicious activity.