Malvertising attack redirects users to malicious webpages as doubts about security of online advertising networks increase
Visitors to Forbes have been served up malicious adverts that direct users to websites hosting a number of well-known exploit kits that can be used to infect vulnerable systems with malware, according to security firm FireEye.
The malvertising attack appears to have impacted one of the advertising networks used by Forbes over a week-long period, according to researchers, before the publication was notified of the issue and swiftly rectified.
“From Sept. 8 to Sept. 15, 2015, the Forbes.com website was serving content from a third-party advertising service that had been manipulated to redirect viewers to the Neutrino and Angler exploit kits,” said FireEye.
Forbes a target
“Malvertising continues to be an attack vector of choice for criminals making use of exploit kits. By abusing ad platforms – particularly ad platforms that enable Real Time Bidding, which we’ve covered before here – attackers can selectively target where the malicious content gets displayed.
“When these ads are served by mainstream websites, the potential for mass infection increases significantly, leaving users and enterprises at risk.”
Forbes has faced several cyber threats in recent times. Last year, the Syrian Electronic Army (SEA) stole the details of more than a million Forbes.com users while the combination of two separate vulnerabilities in Windows and Flash was used to target Forbes’ ‘Thought of the Day’ widget in December.
Safety of adverts
A number of Malvertising attacks have affected users of dating websites, social networks and other online destinations like MSN and Yahoo in recent months, leading many to question the safety of online advertising – especially those running Flash. Google Chrome now pauses Flash adverts by default, while Amazon has blocked assets powered by the much-maligned software.
Some have even turned to controversial ad-blockers to protect themselves against such attacks.
“Even if you go to a website that you believe will be secure, it could actually be made insecure by adverts which are being delivered by third parties,” said Fraser Kyne, principal systems engineer at security firm Bromium. “The way the whole economy and the web is built on this advertising infrastructure is really quite horrible from a security point of view. It is enabling third parties that have no relationship with the website provider to be able to inject adverts and quite complex code.
“Most of these adverts are Flash, basically enabling complicated things to be done within the environment of the webpage and really rely on the very fragile security of the Flash, the Flash engine and the browser and these other technologies.
“With this level and amount of code, and the complexity, it is very challenging to make secure. In fact, basically impossible. And that is what we rely on every day! We are browsing the web, we are relying on this very fragile security.”
A Forbes spokesperson said: “Forbes was informed on September 17 about an apparent malvertising attack to its web site. The malicious creatives identified were isolated to a single advertiser and immediately suspended.
“Forbes has strict practices in place to protect against these kinds of incursions and will make any necessary changes to be sure such incidents do not occur again.”
What do you know about Internet security? Find out with our quiz!