A team of security researchers at Proofpoint have reported that they have identified a "malvertisng" campaign which used ads displayed on high traffic sites to infect the computers of anyone who visited the site.
Malvertising attacks use online advertising channels to infiltrate malware into the computers of unsuspecting users by embedding malicious code within legitimate advertisements on trusted websites. There is no visible indication that the trusted site is compromised: simply by visiting a site, users can get infected via "drive-by download".
Proofpoint reported that the malvertsing was concentrated on 3 ad networks (Rubicon Project, Right Media / Yahoo Advertising, OpenX), and they noted that they found the malicious ads on AOL, Yahoo, 9GAG, and Match.com as well as news sites ranging from The Atlantic to Stuff.co.nz to The Age. They went on to add that this campaign first started to show up in late September and grew until there were enough instances that the researchers could track the campaign.
Proofpoint reports that they subsequently worked quickly to inform the affected parties who then took steps to remove the ads. The last malicious ad was detected on 18 October.
Or rather, the last sign of that campaign was detected last week; it's certainly not going to be the last malicious ad ever, which means that users will still need to protect themselves.
It's pretty clear no one else is going to be able to:
Malvertising attacks are a growing problem; research shows that billions of malicious advertisements are being served each year. Malvertising attacks are especially virulent for two reasons. First, leveraging the online ad network gives attackers the ability to target specific groups; attackers can ensure infection across a designated demographic or targeted set of audiences. Second, because there are so many players in the supply chain through which a given advertisement passes, attackers can more easily avoid detection.
To put it simply, an ad blocker isn't a sign of selfishness anymore; it's now part of the basic security steps you should take when browsing online.
I know that's going to upset anyone who relies on advertising (I don't like it) but that doesn't change the fact that this won't be the mast malvertisng campaign. Until the online ad industry gets better at preventing malicious ads, people have to protect themselves, and that means blocking ads.