Malicious ads that rely on browser vulnerabilities can be activated from within Skype, researchers find.
Security researchers at F-Secure this week discovered malvertising within Skype. It displayed “poisoned” ads on the chat platform that could install malware on users’ computers without the help of a browser exploit.
The advertising campaign redirected users who clicked on the ads to a landing page for the Angler exploit kit, which can automatically download and install ransomware. As its name suggests, ransomware encrypts an entire hard drive and then displays a message asking the victim to pay money—typically in bitcoin—to receive the unlock key.
This attack wasn’t specifically targeted at Skype users. Using the AppNexus ad platform, the malicious ads also showed up on many shopping and news websites like eBay, MSN, and The Daily Mail.
But their presence on Skype was noteworthy because no browser is involved. “It was interesting to note that having the ad displayed in a platform external to the browser did not mean that the browser was no longer accessible and thus the user could no longer be affected,” the researchers explained in their blog post.
Several Skype security vulnerabilities have been uncovered over the years, not all of which have been exploited. But the fact that Skype can be exposed to browser-based attacks even though it doesn’t use a browser is especially concerning, according to blogger David Bisson, who covers security issues.
“This latest campaign clearly demonstrates that platforms that display ads, even when they are not the browser, are not immune from malvertising,” Bisson wrote in a separate blog post.
F-Secure said the campaign “seemed to have ended quite fast,” but Bisson suggested installing an ad blocker or making sure your PC is protected by an antivirus solution.