Break out your ad blocker or your NoScript: Malicious advertisements have been discovered infecting the Web browsers of people who visited certain major websites between Aug. 19 and Aug. 22. Users did not have to click on the ads to be infected.
The "malvertising" was found on Java.com, DeviantArt, TMZ, Photobucket, IBTimes, eBay.ie, Kapaza.be and TVgids.nl, and eventually detected by Dutch Internet-security company Fox-IT. The websites themselves were not hacked; rather, the malicious ads had been spread through the online advertising network AppNexus. (AppNexus quickly removed the ads, which had abused an automated-bidding placement process.)
When victims visited websites containing these malicious ads, hidden links triggered a drive-by download. The victims' browsers were redirected to a malicious Web page hosting the Angler browser exploit kit, a software bundle containing exploits for several known flaws in browser plugins, such as Flash Player, Java and Microsoft Silverlight.
Like most exploit kits, Angler tries several different attacks until it finds one that gets through a browser's defenses. It then uses that hole to inject and launch malware — in this case, the Rerdom backdoor Trojan, which establishes a foothold for possibly more malware to be installed. Think of Angler as a hypodermic needle, and Rerdom as the stuff being injected into victims' computers.
Malvertising has been a problem for many years; even the New York Times website was hit in 2009. Unfortunately, the online-advertising industry has created many layers of buyers, referrers, bidders and networks, most of which use computerized processes to rapidly maximize effectiveness and revenue.
Website operators often have no direct relationship with, or control over, the ads that appear on their sites. The highly decentralized nature of the ad-placement process creates opportunities for malicious actors to inject themselves into the process.
What can you do to protect yourself from malicious ads? First, run a good antivirus program, which will detect browser exploit kits hidden in Web pages. We've reviewed our top antivirus picks on Tom's Guide.
Next, you could try to use an ad blocker in your browser. You can also enable click-to-play, a setting in modern browsers that bars each multimedia file, such as an ad that plays music or movies, from running unless you give it express permission.
However, both solutions may be incomplete. Some ad blockers "whitelist" certain ad networks so their ads display, and click-to-play settings won't affect simpler ads.
It might be best to install a plugin, such as NoScript for Mozilla Firefox or Script Blocker for Google Chrome, that blocks all executable browser content. Users will generally be able to temporarily or permanently allow content from certain sites, while continuing to block others — such as that from ad networks.
- 12 Computer-Security Mistakes You're Probably Making
- Best Free PC Antivirus Software 2014
- 7 Scariest Security Threats Headed Your Way
Jill Scharr is a staff writer for Tom's Guide, where she regularly covers security, 3D printing and video games. You can follow Jill on Twitter @JillScharr and on Google+. Follow us @tomsguide, on Facebook and on Google+.