It came to light, according to a FireEye blog, a malvertising campaign that was running on Forbes.com earlier this month, which led visitors to landing pages ran by the Neutrino and Angler exploit kits. At first, the Neutrino kit was the primary source of delivered malware (after exploiting Flash vulnerabilities), but additional investigation discovered the Angler exploit kit being used as well.
Fraser Kyne, principal systems engineer at endpoint security firm, Bromium offered @Dfmag useful insight into this issue and discusses why approaches like micro-virtualisation can be helpful moving forward, commenting;
“There is still a growth in attacks via malicious advertising. This is where the attacker ends up creating an advert which contains some malicious content. Typically what they are going to do is redirect you to a website, which then launches the second stage of the attack. Then they’ll place that advert with a number of ad agencies, and use one of the ad placement firms to actually enable the attack. It is actually a very interesting attack, because it gives you the opportunity to target particular groups.
For example, supposing you had a conference which had a particular name that, perhaps, you knew was going to be frequented by people in the Department of Defence, or the Army. You could then create one of these malicious adverts, buy the ad-word for that particular conference and then anyone searching for it would be likely to see that particular advert. There might be a white list of sites you can go to, but even if you are going to a well known website, whether it’s Forbes, CNN or BBC, there are being adverts inserted into those web pages and those adverts themselves can be malicious.
Even if you go to a website that you believe will be secure, it could actually be made insecure by adverts which are being delivered by third parties. The way the whole economy and the web is built on this advertising infrastructure is really quite horrible from a security point of view. It is enabling third parties that have no relationship with the website provider to be able to inject adverts and quite complex code. Most of these adverts are Flash, basically enabling complicated things to be done within the environment of the webpage and really rely on the very fragile security of the Flash, the Flash engine and the browser and these other technologies. With this level and amount of code, and the complexity, it is very challenging to make secure. In fact, basically impossible. And that is what we rely on every day! We are browsing the web, we are relying on this very fragile security. I just don’t think it is possible to secure an attack surface that is that large. That is why we need approaches like micro-virtualisation to actually enable the whole thing to be run in a micro –vm, so you don’t care what happens there. That advert may turn out to be malicious, it may compromise the web browser or the environment. The web browser might have a second stage export which compromises the whole operating system, but then I don’t really care because it is running in a micro-vm. It’s not going to impact any other website I visit, it’s not going to have any access to my documents and it’s not going to have access to my internet. So that’s the kind of approach we need to take to solve these problems and it’s a huge vulnerability the way the web advertising works today.”