New malware poses as adware: Blue Coat alert

07th August 2014
New malware poses as adware: Blue Coat alert

Here's a new buzzword: Malvertising!
Bangalore, August 8, 2014: The global  leader in business assurance technology – Blue Coat Systems, Inc.-- has  uncovered a malvertising attack that is leveraging major legitimate ad networks such as ads.yahoo.com to drive a CryptoWall Ransomware campaign.
In malvertising attacks, cyber criminals gain legitimacy for their ad servers within ad networks and then serve malicious ads to high-profile sites. The ads appear legitimate but deliver malware or other unwanted software to the unsuspecting user.
Says Chris Larsen, Architect of the WebPulse Threat Research Team for Blue Coat Systems:
“What looked like a minor malvertising attack quickly became more significant as the cyber criminals were successfully able to gain the trust of the major ad networks like ads.yahoo.com. The interconnected nature of ad servers and the ease with which would-be-attackers can build trust to deliver malicious ads points to a broken security model that leaves users exposed to the types of ransomware and other malware that can steal personal, financial and credential information.”
Over a period of several weeks, Blue Coat security researchers tracked malicious traffic associated with the CryptoWall ransomware campaign. CryptoWall is a Trojan that encrypts various document file types and demands a financial payment for their safe return. During the research team’s investigation of the origination of the traffic coming to the malicious sites, it identified a series of referring websites in countries such as India, Myanmar, Indonesia and France.
In addition to a variety of sites across countries and languages, the research team also identified adsmail.us as a referring site to the malicious networks. Blue Coat security researchers flagged the site as malvertising when they noted it was sending traffic to another malicious network and wasn’t sending traffic to any legitimate sites whatsoever. Adsmail.us is also fed traffic by at least two other suspicious ad servers, instadserver.com and australianadserver.com. Traffic is also fed by ads.yahoo.com and other legitimate ad networks.
The discovery of major ad servers with broad potential reach referring traffic to adsmail.us transformed this attack from a minor one to one that could cause much more damage. It also points to why malvertising has become the leading threat vector for web-based threats.Read more about this latest malvertising scheme, here.