SoylentNews is people
SoylentNews
Submission Preview
Porn Surfers Have a Dirty Secret. They’re Using Internet Explorer
████ # This file was generated bot-o-matically! Edit at your own risk. ████
Porn surfers have a dirty secret. They’re using Internet Explorer [arstechnica.com]:
They’re back—attacks that use booby-trapped Web ads to install malware on the computers of unsuspecting visitors.
So-called malvertising works by paying advertising networks to display banner ads on legitimate websites. Malicious code snuck into the ads then surreptitiously exploits vulnerabilities in browsers or browser plugins. The result: merely browsing to the wrong site infects vulnerable computers with malware that steals banking credentials, logs passwords, or spies on users.
Malvertising never went away, but it did become much less common in the past few years. Thanks to dramatic improvements in browser security, malvertising was replaced by more effective infection techniques, such as phishing, malicious macros in Microsoft Office documents, and tricking targets into installing malicious apps that masquerade as legitimate software.
Internet Exploder... really?
But over the past month, malvertising has made something of a comeback, security firm Malwarebytes reported this week [malwarebytes.com]. Company researchers said they recently found two different groups placing booby-trapped ads on xHamster, a site with more than 1 billion monthly visits [similarweb.com], according to SimilarWeb. The ads redirect visitors to sites that serve malicious code. When viewed with Internet Explorer or Adobe Flash, the code can exploit critical vulnerabilities in unpatched versions of Internet Explorer.
“Threat actors still leveraging exploit kits to deliver malware is one thing, but end users browsing with Internet Explorer is another,” Malwarebytes researchers wrote. “Despite recommendations from Microsoft and security professionals, we can only witness that there are still a number of users (consumer and enterprise) worldwide that have yet to migrate to a modern and fully supported browser.”
Internet Explorer has always been one of the more targeted browsers. In part, that was because of its once dominant market share. Subpar security protections, when compared to Chrome and later Firefox, was another key reason. Microsoft has since released Edge and encouraged all users to adopt it. But the software maker continues to offer IE since custom plugins and software often lock organizations and individuals into using the outdated browser.
The malvertising renaissance seems to be motivated by attackers “squeezing the last bit of juice from vulnerabilities in Internet Explorer and Flash Player (due to retire for good next year),” the Malwarebytes post observed.
Enter Fallout and RIG
xHamster visitors using IE are redirected to a malicious site that hosts content from either Fallout or RIG, two of the better known exploit kits. Exploit kits are the malware equivalent of paint-by-numbers. Sold in underground forums, they allow people with relatively modest technical skills to serve exploits that will infect visitors with malware of the buyer’s choice.
The Fallout exploit kit was redirecting targets to inteca-deco[.]com, a domain that masqueraded as a Web design agency. Behind the scenes, the site redirected targets to a different domain hosting malicious content from a Fallout. It exploited IE vulnerability CVE-2019-0752 or Flash vulnerability CVE-2018-15982. Later, targets were redirected to a different domain, websolvent[.]me, which used a different redirection trick to deliver the exploits.
When successful, the exploits installed the Raccoon Stealer. The malware, according to security firm CyberArk [cyberark.com], sells for about $75 a week. Customers use it to steal credit card data, login credentials, cryptocurrency wallets, and other sensitive data.
A second malvertising group, often referred to as malsmoke, is also using exploit kits to install malware known as Smoke Loader. They, too, are displaying malicious ads on xHamster by purchasing space from a legitimate ad network.
“Malsmoke is probably the most persistent malvertising campaign we have seen this year,” the Malwarebytes post said. “Unlike other threat actors, this group has shown that it can rapidly switch ad networks to keep their business uninterrupted.”
Protecting yourself
With a little training, it’s not hard to spot most malvertising attacks. They usually start with being redirected from the site users were viewing to a site they don’t recognize and made no attempt to visit. Readers who find themselves in this position should close the browser and disconnect the computer from the Internet as quickly as possible. They should never click on links.
The better protection is to use a modern browser such as Edge, Firefox, Chrome, or Brave. The latter is a relatively new offering that's built from the same Chromium engine as Chrome. All of these browsers have been hardened with security sandboxes and other protections designed to thwart malware attacks. Using IE in 2020 is reckless, whether viewing porn or any other kind of Web content.
← Previous story [arstechnica.com]Next story → [arstechnica.com]
