The New York Times, BBC, The Hill, Newsweek, AOL, MSN, and several other top-tier domains had their ad networks hijacked over the weekend by criminals using the Angler Exploit Kit to deliver Ransomware.
Researchers at Trend Micro, Malwarebytes, and Trustwave each reported a spike in malicious traffic over the weekend that impacted thousands of websites. It isn't clear if the upticks were part of a larger coordinated effort. What is clear is that the person(s) driving the campaign knew what they were doing.
"This time it seems that an experienced actor has acquired an expired domain of a small but probably legitimate advertising company in order to utilize this for malicious purposes. This provides them with high quality traffic from popular web sites that publish their ads directly, or as affiliates of other ad networks, which our research has shown to lead to the Angler EK," Trustwave reported.
In a post on Monday, Trustwave reported that answers.com and several other high-volume domains were hijacked briefly and used to spread Bedep and TeslaCrypt via the Angler Exploit Kit.
Trend Micro reported similar attacks, and noted that since March 9, there has been a noticeable increase in Angler-based activity. It's possible the attacks impacted tens of thousands of users in under 24-hours.
Using an expired domain as part of the campaign is a new twist, but effective given that ad networks usually vet their partners. Often, criminals have to target ad platforms without verification in order to operate, or they'll hijack existing networks for a brief period.
Obtaining access to a recently expired domain adds some legitimacy, and will often help the crooks clear various passive vetting checks.
Researchers at Malwarebytes tied two recently registered rogue domains to Angler-based attacks over the weekend at the New York Times, MSN, BBC, AOL, The Hill, Newsweek, NFL.com, the Xfinity customer portal (my.xfinity.com), Realtor.com, and The Weather Channel.
"While we didn’t collect the actual malware payload in each of these attacks, chances are quite high that it would be one of the several strains of ransomware currently out there," Malwarebytes' Jérôme Segura wrote in a post explaining their observations.
Ransomware is quickly becoming the go to payload for criminals because it's a quick payout with little overhead.
Generating new variants of new Ransomware costs the criminal nothing after the initial development fee is paid, and running a campaign costs pennies per victim. Two payments often cover the cost of an entire campaign, and the rest is pure profit.
As an attack, Ransomware is also difficult to deal with, because victims are sometimes forced to pay the ransom due to a lack up current or working backups. This is the case for victims at home and the office.
Such was the case at Hollywood Presbyterian Medical Center. The hospital had to pay $17,000 to recover from a Ransomware attack that crippled their network fore more than a week.