Massive Ad Poisoning scam and what you can do to protect against it
Aug 18 2015 – Your Friendly Neighbourhood IT Guy – http://wp.me/p1fJaD-4o
Share this with others to help stop or at least slow the spread of this and other threats and reduce the impacts.
There has been a massive “scam” going around that impacts web advertisements, called Ad Poisoning. This specific case involves infecting computers with ransomware (encrypting your data and demand payment to decrypt). Most advertisers do not sell their ads to websites one at a time. Websites that want to make money sell their advertising space to an ad network. Advertisers sign contracts with that ad network which then displays the ads on the participating websites. The ad network sits in the middle between the advertisers and the websites and manages the traffic and the payments.
There is the problem. Cyber criminals fool the ad network into thinking they are a legit advertiser, but the ads which are displayed on major websites are poisoned. If you browse to a page with a poisoned ad on it, that is enough to run the risk your device will be encrypted with ransomware (or other malicious software), which the Cyber criminals then demand money to decrypt your personal or work files.
If you have a device that is infected with ransomware it is strongly discourage anyone from paying the ransoms as it opens you up to financial risks/exploits.
The recommended preventative measures around these types of attacks are run a pop up blocker, anti-exploit or mitigation tool, web content inspection tool and disable java unless one of the previous tool protects Java. Many companies run a network based web content inspection tool. Please keep in mind that none of these methods ensure complete protection.
Find more info on some of the suggested preventive measures below.
Due to the recent malicious campaign targeting some legitimate advertising networks/sites, you can temporarily block these websites if you are using OpenDNS or other DNS providers if they offer this service. If not you can temporarily add the list to your host file and point each to 127.0.0.1. More info below.
Check this site for updates as sites may get added or removed from the list if they are detected as using the impacted advertising network(s) or have mitigated the issue.
SSL Malvertising campaign continues
Here are some of the options to try and better protect your families computers and devices from this type of attack / threat and others:
Some of the following and more can be found here: Better protect your computers phones and more
DNS or Host file changes:
I use OpenDNS on our router at home and have temporarily added the above sites to the block list (some where already blocked by OpenDNS for known threats)
Alternately you can add the list to your host file to block:
Open a text editor like notepad. Run as an administrative account and open your hosts file e.g. c:\windows\system32\drivers\etc\hosts and point each to 127.0.0.1.
Anti-Exploit and Mitigation tools tools:
Don’t try running both of these as they will conflict. Just 1 or the other. Same goes with running any 2 of these types of tools. They do work ok with traditional anti-virus like MSSE, Defender, McAfee or Trend AV etc…
This free tool plugs into at least IE, Chrome, Firefox and will block many Ad Poisoning sites an other threats. It is easy to install and does not need any configuration. The free version protects the above browsers and Java but you need to buy the premium version to protect Adobe Reader and other apps. Microsoft’s EMET does all of these and more and is free but may need a bit more tweaking (more info below).
I have used there Anti-Malware scanner for Windows for years and it has worked well especially when helping some friends cleanup the computer after it gets so slow or stops working completely.
Microsoft’s Enhanced Mitigation Experience Toolkit (EMET):
This tool appears to offer more protection but may need some configuration or tweaking.
It has pre-set configuration for many apps and you can add more or if you want to be even more secure but risk some apps crashing and needing tweaking or disabling then enable for all apps.
I configured it to monitor all the default apps and added a few so IE, Chrome, Firefox, Java and several other apps monitored.
I have used it at home and the early versions caused some apps to crash and needed tweaking or disabling for the app but the last 2 versions have been a lot better. I haven’t noticed any issues for awhile.
Here is more info on the above 2 tools and a similar commercial product: