BBC, The New York Times, AOL, MSN, Newsweek, and others unintentionally infected some visitors with ransomware.
Did you click on an ad from the BBC, New York Times, or Newsweek websites recently? Congrats, you might have malware!
As first reported by Trustwave, and confirmed by several other security firms, these and other sites—including AOL, MSN, Answers.com, ZeroHedge.com, and Infolinks.com—were hit by malicious ads served up by once-legitimate networks that were taken over by scammers.
“It seems that an experienced actor has acquired an expired domain of a small but probably legitimate advertising company in order to utilize [it] for malicious purposes,” according to Trustwave, which said the Angler exploit kit is to blame.
It turns out several high-profile sites were retrieving a JSON file as they normally would to pull advertising content from providers.
“It’s important to note,” Trustwave said, “that while these popular sites are involved in the infection process,” they are still victims of malvertising. “The only ‘crime’ here is being popular and having high volumes of traffic going through their sites daily.”
This attack points to a larger trend in malvertising: the stalking of domains that are nearing their expiration date—in this case, those containing the word “media.” According to the BBC, the domain exploited in this case fell into the hackers’ hands in January.
“Users and organizations are advised to make sure that [they] keep their applications and systems up-to-date with the latest security patches; Angler Exploit Kit is known to exploit vulnerabilities in Adobe Flash and Microsoft Silverlight, among others,” Trend Micro said in a blog post.
Trend Micro “is already able to protect users against this threat,” while Malwarebytes said its “Anti-Exploit blocks the malvertising attack when it launches the exploit kit.”