Telstra's 'media content' home page has been infected with 'malvertising' which links to a malicious exploit kit.
Malvertising is a form of distributing ‘injected' malware into legitimate online advertising.
A malvertisement appearing to show a Lamborghini Gallardo for sale, actually contained a link to redirect users (via Google's own URL shortener) to a separate website where a Nuclear exploit kit payload was lying in wait. The payload in this case was a banking Trojan.
The hack itself was reported by Malwarebytes researcher Jerome Segura. He reports that this malvertising is similar to an previous attack on the PlentyOfFish dating website.
The attack will have targeted the network serving the ads to the Telstra site, rather than the telco itself.
The Nuclear exploit kit which this hack pointed to is an off-the-shelf piece of hacking software with tools to exploit vulnerabilities in the runtime environments of browsers and the core backbone software that runs on the web.
While culpability is not directly pointed at Telstra for this attack, users clearly establish a certain level of trust with media providers who operate at a national and/or international level.
With incidents like this becoming more prevalent, the question of host site liability for dynamic content presented in advertisements does come into question.
According to Jas Singh, CTO at health and community management company, Medelinked, “publishers need to make sure they implement controls and threat detection policies to defend their environment and mitigate such attacks. Typically, this starts with URL filtering and web reputation filtering as some of the first checks that can be implemented”.
Singh said that if user-requested web content gets past the URL and reputation filtering then real-time malware detection should also be put in place.
Gavin Reid, VP of threat intelligence at Lancope spoke to SCMagazineUK.com today to say that in the ‘underground economy' PC's are monetised in various ways; stealing of accounts, click-through fraud, phishing, DDoS, pirated software sites, fake anti-virus and ransomware and so on.
“Many, if not all, of the top 100 websites have fallen victim to compromised sponsored advertising (or malvertising). If you can get an advert with a malware redirect posted to a major website – there is no need to compromise the site,” he said.
Reid explained that miscreants use a hacked account, or a stolen credit-card to pay for the malware-laden ads and the fact that they lead back to the ad provider all provide a great cover.
“The adverts themselves can be targeted to the exact audience you want and security defenders can't blacklist the site or the advert-provider. This is where quick and very specific URL blocking can help, however as with AV signatures this is a race with both time and numbers being in favour of the miscreants,” he added.
Senior malware analyst at Avast Jaromir Horejsi spoke to SCMagazineUK.com to clarify just where users stand in relation to the secure web today.
“HTTPS cannot help avoid malvertising, in fact malvertising can be (and sometimes is) spread by infected online advertising services over HTTPS.
"To protect themselves from malvertising, people should keep their software, such as browsers and plugins up-to-date, adjust browser settings to detect and flag malvertising. They should also have antivirus software installed to detect and block malicious payloads that can be spread by malvertising.”
Telstra's ‘media content' home page has now disabled the link to the malvertising attack.