Malvertising meets the Daily Mail

Love it or hate it, if you’re an Anglophone, you’ve probably heard of it.

The UK’s Daily Mail, or, more precisely, the web-based Mail Online, is said to be the world’s busiest English-language news site.

Despite its British origins, and its UK flavour, 70% of its traffic is said to come from outside the British Isles, notably from the USA.

There’s no subscription or paywall, so the site makes its money, like so much of the internet these days, from ads.

So, as you can probably imagine, crooks who could feed malvertising – booby-trapped ads consisting of poisoned HTML, JavaScript and so on – could quickly rack up a lot of hits on their malicious sites.

As we’ve explained before, malverts don’t have to contain malware of their own.

They just need to link off somewhere that has malware on it, for example using an HTML IFRAME (inline frame, or embedded web window).

And malverts can be hard to track down, because ad networks don’t always serve the same ad in the same place on the same page.

Even if you see an ad that your anti-virus blocks because it contains a malicious code or a poisoned link, and report it promptly…

…researchers following up on your report might see something completely different when they go looking.

Mail meets malware

Sadly, last week, it seems that some Mail readers did receive poisoned ads from one of the ad networks that provides Mail Online with marketing content.

Reported cases are said to have redirected visitors to web pages containing the Angler exploit kit, an infamous “cybercrime as a service” tool that automatically loads a sequence of booby-trapped files into your browser, and tries them one by one in the hope of getting control over your computer.

Indeed, if you’ve forgotten to patch any one of the software vulnerabilities that Angler tries to exploit, you’re at risk of what’s called a drive-by download.

That’s where simply visiting the site with your browser, or having a malvert “visit” it for you, is enough to install malware on your computer.

💡 LEARN MORE: How the Angler exploit kit works ►

Crooks wanting to distribute malware can pay the criminals behind the exploit kit on a per-install basis, so it’s hard to predict what malware an Angler-infected website will try to foist on you at any visit.

However, SophosLabs reports that Cryptodefense and Cryptowall ransomware, blocked by Sophos as HPmal/Ransom-I and HPmal/Ransom-R respectively, are are commonly seen in Angler attacks these days.

As far as we know, the offending ad network that Mail Online was using (we aren’t sure which it was, as the Mail pulls in content from numerous outside sites) cleaned up its act pretty quickly, so this door was slammed shut soon after it opened.

What to do?

Keeping #CyberAware, and trying to be a safe surfer by avoiding risky-looking sites and sticking to well-known ones, is a good idea.

Why put yourself needlessly in harm’s way?

Clearly, however, just being careful is not enough on its own, because even mainstream, high-traffic websites may be intermittently infectious due to malvertising.

Here are some technological tips you can follow:

Keep your operating system and applications patched. Exploits kits like Angler usually try out multiple vulnerabilities before giving up. The longer you ignore your patches, the greater the number of holes that remain open to the exploit kit.

Use an on-access (real-time) anti-virus and keep it current. Blocking any of the stages in a malvertising attack like the one described above will stop the crooks in their tracks.

Use a secure gateway or firewall that filters web traffic. This provides an extra layer of defence on top of your anti-virus.

Clean up with the free Sophos Virus Removal Tool

This is a simple and straightforward tool for Windows users. It works alongside your existing anti-virus to find and get rid of any threats lurking on your computer.

It does its job without requiring you to uninstall your incumbent product first. (Removing your main anti-virus just when you are concerned about infection is risky in its own right.)

Download and run it, wait for it to grab the very latest updates from Sophos, and then let it scan through memory and your hard disk. If it finds any threats, you can click a button to clean them up.

Click to go to download page...

Other free tools to protect you from malverts and exploit kits

Sophos UTM Home Edition

All the features of our commercial UTM for use on a spare computer or in a virtual machine. You get web filtering, email filtering, virus scanning, intrusion prevention, a web application firewall and a full-on Virtual Private Network (VPN) solution for up to 50 computers or mobile devices at home.

You also get 12 free licences for Sophos Anti-Virus for Windows to keep your family PCs clean.

Sophos Anti-Virus for Mac Home Edition

A standalone version of our business grade anti-virus for OS X. You get real-time (on access) malware prevention, web filtering, scheduled scans, malware cleanup and more, plus it keeps itself up-to-date automatically.