Skip to main content

Sneaky Malvertising Hits Top Sites: What You Should Do

We've said it before, and we need to repeat it again: Update your Adobe Flash Player browser plugins now. Once again, a recently patched vulnerability in the multimedia plugin is allowing attackers to push out system-locking ransomware through malicious ads placed on popular websites, including dailymotion.com, MLB.com and CBS.com.

Credit: Dragon Images/Shutterstock

(Image credit: Dragon Images/Shutterstock)

The news comes from Jérôme Segura at Malwarebytes, who yesterday (May 25) reported that attackers had found a way to corrupt high-traffic websites with ads that become malicious only when served to ordinary web users. This trick uses JavaScript that drops malware when it sees that the visiting browser is running on a regular consumer PC, but makes the ad appear harmless when the browser is on a virtual machine of the sort used by security researchers.

MORE: Malvertising: What It Is and How to Protect Yourself

The ads lead visitors to the Angler browser exploit kit, which pokes and prods your browser to see how many ways it can be penetrated. Angler now includes the CryptXXX ransomware, and leverages a Flash exploit patched two weeks ago to attack without any user interaction whatsoever. All the ads needs to do is display -- and for the Adobe Flash Player plugin to be out of date -- to trigger an infection.

Malware typically spreads through ads thanks to the chaotic nature of the online ad-sales market, but evolving code that evades verification makes it even harder for ad networks to operate safely. To add insult to injury, the criminals were not only hijacking legitimate advertisers' ads, but creating hidden subdomains on the advertisers' own sites so that code-checkers would mistakenly see the URLs as kosher.

Segura reported that Malwarebytes "received quick acknowledgements from almost all" of the advertisers involved and "that they have already taken measures to ban the fraudulent advertisers and their purveyors."

If you're using Google Chrome, Microsoft Edge or Internet Explorer 11, Adobe Flash Player will automatically update itself in the background. All other browser users need to navigate to get.adobe.com/flashplayer to manually install the update. This isn't a problem for most mobile users, as Steve Jobs kept Flash from ever landing on iOS, and the player was discontinued on Android.

In addition to updating Adobe Flash Player, you can set up click-to-enable technology to stop Flash from automatically running on websites. This gives you the power to see the Flash content you want to see, and ignore the rest.

Those tired of repeatedly patching Flash can opt to disable the plugin. Some sites may still use the technology, but since YouTube transitioned to native HTML5 for its videos, there is little need left for Flash.