Scam Of The Week: Massive WebAd Poisoning

RansomwareThe same cybercrime lowlifes that infected the Yahoo website a few weeks ago have struck again, this time infecting sites like Drudge Report and Both sites have hundreds of millions of visitors per month, and were serving poisoned web ads which either dropped CryptoWall ransomware or infected the PC with adware. 

Internet users at the house, or employees who browse the web during their lunch break do not understand the mechanics of modern ad networks. Once an ad network is subverted, hundreds of millions of poisoned ads are displayed in real-time. Many of these ads initiate a drive-by attack without the user having to do anything. The attack does a few redirects, kicks in a U.S. and Canada-focused Exploit Kit which checks for vulnerabilities (usually in Flash) and infects the workstation literally in seconds.

What To Do About It

This is a hard one to defend against, because they hide behind an SSL to Microsoft's Azure Cloud which makes it difficult to detect, but there are definitely things you can do. First of all, I would send this to your
users. Feel free to copy/paste/edit:

Scam of The Week Warning - you need to understand something about poisoned ads on websites which might infect your computer. Here is the situation in a nutshell: Advertisers do not sell their ads to websites one at a time. Websites that want to make money sell their advertising space to an ad network. Advertisers sign contracts with that ad network which then displays the ads on the participating websites. The ad network sits in the middle between the advertisers and the websites and manages the traffic and the payments.

And there is the problem. Cybercriminals fool the ad network into thinking they are a legit advertiser, but the ads which are displayed on major websites are poisoned. If you browse to a page with a poisoned ad on it, that is enough to run the risk your PC will be encrypted with ransomware, which costs 500 dollars to get your files back.

Desktop Ad Blocker UsersSo here are a few things you can do about this. First, disable Adobe Flash on your computer - or at least set the Adobe Flash plug-in to "click-to-play" mode - which blocks the automatic infections. Second, keep up-to-date with all the security patches and install them as soon as they come out. Third, download and install Ad Blocker plug-ins for your browser, these prevent the ads from being displayed in your browser to start with. These ad blockers are getting very popular, hundreds of millions of people use them.  

In a network, you could decide for two things:
1) Get rid of Flash all together, we see this happen a lot, or

2) Deploy ad blockers using group policy, here is a forum post at the AdBlockPlus site where it is explained how this can be done. I use Adblock Plus in Chrome and am a happy camper. Link:

Good luck and stay safe out there!

Learn how you can prevent such an attack and protect your organization by downloading KnowBe4's Ransomware Hostage Rescue Manual. It's he most informative and complete manual that will twll you what to do if you are hit as well as prevention tips for the future: 

Get Your Manual

Don't like to click on redirected buttons? Copy and paste this into your browser:

Topics: Ransomware

Subscribe to Our Blog

Comprehensive Anti-Phishing Guide

Get the latest about social engineering

Subscribe to CyberheistNews