Malware attacks include more than phishing attempts and spoofed emails. On Sunday, March 13, websites like nfl.com, aol.com, nytimes.com, msn.com, and many other extremely high-traffic sites were serving up ads weaponized with malware.
Malvertising is a malware delivery method where the attacker designs a convincing ad to put on an online ad network. Usually, when the advertisement is clicked, it redirects the victim to a site that pushes malware onto their computer. Malvertising can occur on any ad network, as demonstrated by Sunday’s attack. The malware in question was an exploit kit, a toolkit of code that exploits vulnerabilities in web browsers and browser plugins. Specifically, it was an exploit kit called Angler EK, a variant designed to take advantage of a recently patched vulnerability in Microsoft Silverlight and a few more common vulnerabilities in Flash and Java players.
Researchers from managed security company Trustwave’s SpiderLabs have found that the malware looks for antivirus on the target’s computer and, if it finds no effective program, opens an iframe to push the exploit kit onto the computer.
The sites themselves aren’t to blame, but if attacks like these become more common it will bring up questions as to who, exactly, should be culpable.
You can defend yourself from attacks like these by updating your computer and browsers as often as possible, installing and regularly running antivirus, and by making browser plugins like Flash and Silverlight click-to-play, which you can learn to do on any web browser here.