Infected Web Ads Use Flash Flaws to Spread Ransomware

Credit: Carlos Amarillo/Shutterstock

(Image credit: Carlos Amarillo/Shutterstock)

It's a perfect storm of Internet iniquity: A three-month-old malvertising campaign is exploiting two recently discovered Adobe Flash Player flaws to infect people's computers with ransomware. If you're counting, that's three cybercrime buzzwords in one — and the result is a dire threat that may have affected popular websites such as the Huffington Post and Answers.com.

The malvertising campaign, dubbed Fessleak after an email address used to register malicious domain names associated with the campaign, began in mid-October and initially used a Windows flaw to infect PCs with what Fairfax, Virginia-based security company Invincea called "advanced ransomware."

But after Microsoft patched that flaw Jan. 13, Fessleak switched to running ads that exploited first one, then another, Adobe Flash Player zero-day flaws — so called because attackers discovered and used them first, giving Adobe zero days to patch its software. (Both flaws have since been patched.)

MORE: Best Antivirus for PC, Mac and Android

Invincea, which chronicled the malvertising campaign in a blog post Wednesday (Feb. 4), the same day Adobe patched the second flaw, said that Fessleak can even detect when its malware dropper attempts to run in a virtual container, an isolated environment that security researchers use to study malware.

If Fessleak detects a virtual container, its dropper will shut down, which may be why Invincea didn't name the specific kind of ransomware involved. Similar malvertising campaigns have infected users with the Reveton strain of "police" ransomware, which tells victims they face prosecution for harboring pirated files or pornography unless they pay "fines" immediately.

Malvertising refers to when online criminals slip malicious advertisements into legitimate ad networks that feed ads to widely viewed websites. These malicious ads then appear in the browsers of people who visit these sites, which can trigger malware infections. 

Because it spreads via ad networks, Fessleak has affected many high-profile websites, including the Huffington Post and the New York Daily News. Sites hit since the Adobe flaws were introduced include Answers.com and Thesaurus.com.

Malvertising campaigns such as Fessleak can be difficult to curb.

"It is important to note that the sites from which the malvertising were delivered are by and large unaware that their sites were used for delivering malware, and largely unable to do anything about it," Invincea notes.

Although these two latest Flash zero-days have been fixed, they won't be the last of their kind. To protect yourself against future attacks, you may want to disable Flash in your browser, or at least set Flash to Click to Play. This way, you can activate only the ads or videos using Flash that you wish to see, and the others will remain disabled.

Jill Scharr is a staff writer for Tom's Guide, where she regularly covers security, 3D printing and video games. You can follow Jill on Twitter @JillScharr and on Google+Follow us @tomsguide, on Facebook and on Google+.

Jill Scharr is a creative writer and narrative designer in the videogame industry. She's currently Project Lead Writer at the games studio Harebrained Schemes, and has also worked at Bungie. Prior to that she worked as a Staff Writer for Tom's Guide, covering video games, online security, 3D printing and tech innovation among many subjects.