Malvertising Attack Threatens 2 Million answers.com Visitors Daily

[Batu69]

RIG exploit kit takes on large malvertising campaign

There has been an interesting battle between two exploit kits in the past few months. Following the demise of the Angler exploit kit in June, Neutrino EK assumed the lead position by having the top malware and malvertising campaigns defaulted to it. But since then, there have been several shake ups, and an underdog in the name of RIG EK replaced Neutrino EK on several high volume attacks from compromised websites.

 

Today we spotted a malvertising incident on popular website answers.com (2 million visits daily) via the same pattern that was used by Angler EK and subsequently Neutrino EK via the ‘domain shadowing‘ practice and the use of the HTTPS open redirector from Rocket Fuel (rfihub.com). Contributing to its recent expansion, RIG EK was the go-to exploit kit for this campaign.

 

Some visitors that browsed the knowledge-based website were exposed to the fraudulent and malicious advert and could have been infected without even having to click on it.

 

 

Domain shadowing:

• https://ads.retradio.com/www/delivery/afr.php?id=69151&target=_blank&click=http://r.turn.com/{redacted} -> Referer: http://www.answers.com/Q/What_is_Windows_7_loader

Open redirector and RIG EK:

• https://p.rfihub.com/cm?forward=http://speerhaaien.eclouds.co.uk/?wXqBcrWeKB3PAoI=l3SKfPrfJxzFGMSUb-{redacted}

RIG EK, the new Neutrino?

In early September we noticed a change in how RIG drops its malware payload. Rather than using the iexplore.exe process, we spotted instances where wscript.exe was the parent process of the dropped binary.

 

 

This may seem like a minor difference, but it has been Neutrino’s trademark for a long time and used as a way to bypass certain proxies. Below is a comparison of the script Neutrino EK and RIG EK leverage to download the encoded malware binary.

 

 

For the past weeks, RIG EK has been observed dropping the CrypMIC ransomware, a payload that Neutrino first served back in July.

More of the same fake advertisers

Threat actors are privileging RIG over its rival Neutrino as it can be seen from various malware campaigns. In the meantime, domain shadowing in the malvertising space is still an effective means of duping ad agencies via social engineering. While this practice is well known, it also remains a powerful method to bypass traditional defences at the gateway by wrapping the ad traffic (and malicious code) in an encrypted tunnel.

 

Since malvertising does not require any user interaction to infect your system, you should keep your computer fully up to date and uninstall unnecessary programs. Running an additional layer of protection, such as exploit mitigation software, ensures that drive-by download attacks leveraging zero-day vulnerabilities are also stopped.

 

Article source

[straycat19]

The US Congress is looking at a bill that would make heads of agencies responsible for breaches of their respective networks and could result in demotions, pay reductions, or firing, based upon the severity.  Businesses would do well to adopt the same standards.  Companies/web sites that host these attacks ought to be held responsible.  According to some of the best lawyers in San Francisco that I have talked to lately, their is precedence for filing class action lawsuits in cases such as the one depicted above against the hosting web site.  This would give more motivation to websites policing their ads and those of their ad companies.  Personally I would rather treat the malvertisers as what they are, terrorists, and go after them with special operation troops. Could you imagine a team from Delta Force 'dropping' in on a malvertiser at 3am with concussion grenades (we don't currently have any in the inventory so we would have to use conventional hand grenades) and neutralizing the objective.  Now that would be a deterrent. 

[steven36]

The problem is  no one is the USA  has no authority  outside it's jurisdiction no way  .Most the time when  anyone gets arrested for these exploit kits it takes a ;global Interpol effort . But many exploit kits are in countries  were  want help the USA or the west out.  like RIG exploit has been making it's rounds since 2014.

http://malware-traffic-analysis.net/2014/05/07/index.html

 

The Businesses world  can not hold up the law ..Being a  vigilante is a crime too, only you are responsible for you're own security ..You must report breaches to the proper channels . The reason Businesses are going to be held responsible  many try to hide the fact they was breached because it's bad for business   and many are too cheep to buy proper security to began with . These rich companies dont pay my bills no way so i could care less  what happens to them in the end .

 

And comparing  terrorism  with online crime  is nonsense  not all hackers have ties with this. Before terrorism the Government blamed everything  on Communism: they would just find something new to blame it on so they can control everyone      It's the worlds own fault  that they store all this info online ..The world existed for 1000s  of years just fine without it . The world has dug it's own grave  and dont have sense enough to reverse it.

 

Golly gee,  i trusted  my  life with man made technology that the whole world can try to access it and breach me sort  of thing  going on now in the 21st century . It just shows how pathetic the world has become and  they are chasing  ghost.,  invisible entitles,  that you can not see and many are located  in places were as long as they don't mess with there own country they will never be stopped .So at best  all you're browser vendor can do is patch it and stop one of them like Microsoft done last patch Tuesday for a 2 year old exploit that they knew about... If people was serious about this they would be plugging holes for these old exploits like Rig. everyday but  they wait years to do anything its a big freaking joke really...

 

They be patching things that's  not even ever been exploited in the wild paying millions to researchers and  exploits in the wild already go for years never patched  ..whats not in the wild cant harm you yet . So its a false sense of security .

 

They can pass laws tell they turn blue in the face but there is a big problem with this. there just one country with one set of laws . There are a 197 more countries with different laws on Cyber warfare  they may look good on paper ..But it's yet to been seen they accomplish anything  but make people stop trusting the internet or they could destroy it  . Life will go on with or without it you dont have too have it too live . If you think you do you have lost touch with reality.