Millions of people stream Netflix content on their computers, but few wonder how it works. Netflix runs in computer Web browsers with the help of a plugin called Microsoft Silverlight — and Silverlight has coding errors that can be exploited to bypass its security measures. What more could a cybercriminal ask for?
A new cybercrime campaign is using fake advertisements as a launching point, hitting Silverlight's vulnerabilities to install malicious software on computers, according to San Jose, California-based networking giant Cisco, which discovered the attacks.
If you watch Netflix in your Web browser, you may remember that before you could watch a movie or TV show, you had to install a Silverlight plugin. Similar to Adobe Flash Player, Silverlight handles multimedia content on Microsoft Windows and Mac OS X. (There's also an unofficial Linux clone.) Netflix isn't the only service that uses Silverlight, but it is by far the most popular.
The methods cybercriminals use to exploit Silverlight may seem complex, but are simple in practice. The criminals first infiltrated the corporate networks of AppNexus, a New York-based online advertising company, in order to plant malicious ads across the Web.
If a user clicks on one of these malicious ads, he or she gets redirected to another malicious banner ad, and from there to a Web page on which a well-known malware package called the Angler exploit kit begins to bombard the user's browser with one attack after another. When one of the attacks succeeds in penetrating the browser's defenses, it infects the browser with malware in what's called a drive-by download.
Browser exploit kits are like quivers full of trick arrows. Each arrow, or exploit, is designed to attack a Web browser in a different way, and developers and operators of exploits kits are constantly adding new exploits to their quivers. Last November, the creators of the Angler exploit kit added a suite of Silverlight vulnerability exploits.
In the Cisco blog post, the company's researchers said the cybercriminals behind this Angler-based "malvertising" campaign were focusing on Silverlight and Flash exploits to install a Trojan on victims' computers. The Trojan creates a connection between the infected computer and a remote server, which Cisco has determined to be located in Brazil.
Only 10 percent of browsers hit by the Angler exploit kit end up being infected, the Cisco researchers wrote, but a sharp uptick in the corrupted pages' traffic indicates that many more people will be falling victim to this exploit campaign.
Between May 7 and May 13, 18 percent of Web users who landed on pages hosting the Angler exploit kit had been redirected to those pages from the fake AppNexus advertisements in this malware campaign.
To keep yourself safe from this exploit, you should run a good antimalware program that includes Web-browser protections. You can also disable the Adobe Flash and Silverlight plugins on your browser, or use a Netflix mobile app instead of the browser-based version so you don't have to install Silverlight in the first place.