Skip to main content

Massive Malvertising Campaign Hits Major Websites

This is bad. More than a dozen high-profile websites may have been hit by a new malvertising campaign, inadvertently posting online ads that may try to install ransomware or botnet malware on readers' computers, according to reports from three security firms.

Credit: Feel Photo Art/Shutterstock

(Image credit: Feel Photo Art/Shutterstock)

The sites apparently include MSN.com, NYTimes.com, BBC.com, AOL.com, NFL.com, TheWeatherNetwork.com, TheHill.com, ZeroHedge.com, Newsweek.com, realtor.com, my.xfinity.com, answers.com and infolinks.com. Most see millions of unique visitors daily. Online-ad networks distributing the dangerous ads include Google, AppNexis, Rubicon and AOL, according to blog posts from Malwarebytes, Trustwave and Trend Micro.

MORE: Malvertising Is Here: How to Protect Yourself

The issue began Sunday with the latest update to the Angler exploit kit, one of several widely distributed quivers of malware that poke a connecting  Web browser's vulnerabilities until something gets through. In this instance, the malicious ads you'd see on NYTimes.com or BBC.com are quietly connecting back to malicious sites hosting Angler, which reaches out through the links to push malware onto hapless visitors.

The websites hosting the ads aren't themselves infected — they just happen to be the ones displaying the ads. Because ads don't always show up consistently on the same site, simply viewing a site that has been pushing malvertising doesn't mean you saw an infected ad.

The malware dropped onto visiting machines apparently includes the TeslaCrypt ransomware, which will encrypt your most important personal files and demand payment, and the Bedep botnet Trojan, which will try to capture your machine, Borg-style, and add it to a slave army of infected PCs doing a criminal's dirty work. The primary means of entry is an unpatched browser plugin for Silverlight, although most exploit kits also probe for unpatched Adobe Flash Player plugins.

To avoid infection, patch or disable the Silverlight plugin in your browser; you won't need it unless you watch Netflix on your computer. Also patch Adobe Flash Player plugins, or, better yet, disable them altogether or make them click-to-run. Google Chrome and Internet Explorer 10 and 11 will patch Flash by themselves, but you'll need to patch Flash in other browsers manually.

Finally, be sure to update your Web browsers and operating systems to the latest possible versions. It may be time for you to make the jump to Windows 10, which has security protections that don't exist in Windows 8.1 or 7. And while we at Tom's Guide don't endorse ad blockers, which affect our own bottom line, they might make a difference in this case.

Macs are at risk too, but less so than Windows. Be sure to patch Flash and Silverlight to protect yourself from flaws that can be exploited.