Malware With Your News? Forbes Website Victim of Malvertising Attack

md_215_logo_forbes

From Sept. 8 to Sept. 15, 2015, the Forbes.com website was serving content from a third-party advertising service that had been manipulated to redirect viewers to the Neutrino and Angler exploit kits.  We notified Forbes, who worked quickly to correct the issue.

This type of malicious redirection is known as malvertising, where ad networks and content publishers are abused and leveraged to serve ads that redirect users to malicious sites.

Neutrino Attack Chain

The attack starts when the following URL is requested from the Forbes.com website, as depicted in Figure 1:

hXXp://www3.forbes[.]com/test/[redacted]/IWC_ForbesLife_E-Reader_unit/fif.html

The following URLs were seen as referrers in the requests for fif.html:

www.forbes.com/2010/08/24/sabbatical-leave-work-leadership-careers-advice.html

 

www.forbes.com/sites/johnlamattina/2015/04/13/
should-the-fda-require-cv-outcome-studies-for-diabetes-drugs-before-approval/

 

www.forbes.com/search/?q=CSR+articles

 

www3.forbes.com/business/the-worlds-100-
highest-paid-athletes/?utm_campaign=highest-
paid-athletes-2015&utm_source=yahoo-gemini
&utm_medium=referral

 

www.forbes.com/sites

 

www3.forbes.com/investing/the-grateful-
graduates-index-2015-the-top-50-roi-colleges/?
kwp_0=40495&utm_campaign=the-grateful-
graduates-index-2015-the-top-50-roi-colleges&
utm_source=FacebookTest1&utm_medium=
referral&utm_content=3&kwp_4=231627&
kwp_1=186159

 

www.forbes.com/sites/abrambrown/2012/10/29/what-can-close-the-nyse-world-war-presidential-funerals-and-hurricane-sandy/

 

www3.forbes.com/lists/the-richest-
person-in-every-state/?utm_campaign=richest-by-state&utm_source=taboola&
utm_medium=referral&utm_content=reuters-reuters

 

Table 1. Referrers leading to request for “/test/[redacted]/IWC_ForbesLife_E-Reader_unit/fif.html”

Figure 1. Request to forbes.com; parameters contain URLs for loading ad content

Visible in the parameter, “&lu=” is the encoded URI for a .js file from the host s.flite[.]com (see Figure 2). flite[.]com is another ad platform.

Figure 2. Request to s.flite[.]com

Loading the .js file results in the following iframe being loaded (Figures 3 and 4):

Figure 3. iframe to eminetwork[.]com

Figure 4. Request to eminetwork[.]com

The file FDPU_08_17_15_New_Eng_Educ_Innov contains another injected iframe leading to the Neutrino exploit kit (Figure 5).

Figure 5. iframe to Neutrino exploit kit

This results in loading of the Neutrino landing page that sets up the exploitation stage (Figure 6, as follows):

Figure 6. Neutrino landing page w/ reference to Flash exploit

The exploit page downloads a flash exploit (MD5 e8ce10aab2c0585df10fe9420278e25c) (Figure 7).

Figure 7. Flash exploit being downloaded

The flash contains a set of exploits (shown in Figure 8) in the binaryData, and leverages one of them based on the victim’s environment to download the malware. The binaryData is encoded using RC4; if the exploit is targeting IE, it will be further encoded using zlib inflate method.

binaryData

Decrypted md5

Summary

1.bin

fd9d3a5f51053818e38a79ad63292add

Flash, cve-2015-5119

2.bin

71b488c677490a82e8a9060a6a34bb9a

Flash, cve-2015-5122

3.bin

abf2c18c6a68e8a70eb069ae7cc4593d

Angler EK's IE cve-2015-2419 exploit

4.bin

575ba6a43945a739583633badee50f7f

IE, cve-2013-2551

5.bin

41edea8d4e6d187eb0f977b8bec27a98

Flash, cve-2014-0569

6.bin

adf2e242611449c8e93f3d849ec6a1cc

Vbscript, cve-2014-6332

7.bin

0266f91ffde4f00c233c7089dc38162b

Vbscript, cve-2014-6332

Figure 8. Exploits embedded

ADDITIONAL INFORMATION

Further research showed that this malvertising attack led not only to the Neutrino exploit kit, but to the Angler exploit kit, as well. This switching between exploit kits behavior is not new and has been recently documented here.

The following table lists some of the Angler URLs and the respective referrers. Note that all referrers come from the eminetwork.com domain.

Angler URL

REFERRER

Angler URL

REFERRER

buttetpappaen.dog-collars-usa.com/forums/viewforum.php?f=17&sid=.59t9rd66l86101223y41&

 

/projects/FDPU/?FDPU=FDPU_09_07_15&
FDPU2=FDPU_09_07_15

 

sjlsagt.callcenterrecovery.com/forums/viewforum.php?f=77e&sid=w59t84495bl5t.8t40y3

 

/projects/FDPU/?FDPU=FDPU_09_01_15_Utah_Fin_Edu&
FDPU2=FDPU_09_01_15_Utah_Fin_Edu2

 

myymnkinatawan.web-homebiz.com/forums/index.php?PHPSESSID=4817a&action=4.5o2p3s103122110w4&

 

/projects/FDPU/?FDPU=FDPU_09_01_15_Utah_Fin_Edu&
FDPU2=FDPU_09_01_15_Utah_Fin_Edu2

 

penpicture-tairaka.joemuscolina.net/forums/index.php?PHPSESSID=95m.&action=93626s9191vzw48pt19493

 

/projects/FDPU/?FDPU=FDPU_09_07_15&
FDPU2=FDPU_09_07_15

 

tariff1bjerviscottonfactor.communitydentalgroup.com/boards/index.php?PHPSESSID=231&action=p2.t18gr108l43865

 

/projects/FDPU/?FDPU=FDPU_09_01_15_Utah_Fin_Edu&
FDPU2=FDPU_09_01_15_Utah_Fin_Edu2

 

mesententes-abkuessen.dsris.net/forums/search.php?keywords=1n9&fid0=8578.d616x8s36j1

 

/projects/FDPU/?FDPU=FDPU_09_07_15&
FDPU2=FDPU_09_07_15

 

heupbreuk.conejovalleyhealth.net/civis/index.php?PHPSESSID=18j&action=u6181.591ul99v2

 

/projects/FDPU/?FDPU=FDPU_09_07_15&
FDPU2=FDPU_09_07_15

 

linkpc.capitalhomealarm.com/boards/viewforum.php?f=9s&sid=4an.841241046j1003d9447pdi8

 

/projects/FDPU/?FDPU=FDPU_09_07_15&
FDPU2=FDPU_09_07_15

 

neuvostodemokratian.bankrepoautooutlet.com/forums/index.php?PHPSESSID=3e1ij&action=7942.q0el899

 

/projects/FDPU/?FDPU=FDPU_09_07_15&
FDPU2=FDPU_09_07_15

 

holectypmaneschi.compasspointlaw.com/boards/viewforum.php?f=98yo.&sid=v15166k5yk38884x553

 

/projects/FDPU/?FDPU=FDPU_08_17_15_S_Central_Southern_Educ_Innov

 

Table 2. Referrers from ad content provider, eminetwork.com, leading to Angler exploit kit.

CONCLUSION

Malvertising continues to be an attack vector of choice for criminals making use of exploit kits. By abusing ad platforms – particularly ad platforms that enable Real Time Bidding, which we’ve covered before here – attackers can selectively target where the malicious content gets displayed.

When these ads are served by mainstream websites, the potential for mass infection increases significantly, leaving users and enterprises at risk.