RoughTed.jpgOne family of malware that even the most vigilant of users has to be careful of is malvertising. Malvertising's dangers come from the fact that malware infection can occur from visiting a common legitimate website, as the malware is embedded within the ads on the website, rather than the website itself.

A simple solution that people have used to mitigate this threat was to just block online advertisements altogether. However, the discovery of the RoughTed malvertising campaign shows that cybercriminals are constantly changing their tactics in order to find holes in a user’s defenses.

Researchers at Malwarebytes showed how even users with popular ad-blockers such as Adblock Plus and uBlock Origin were susceptible to malvertising redirects from websites affected by the RoughTed campaign.

They also noted the large scale of the campaign, with more than half a billion hits to infected domains in the span of just three months. Much of the campaign’s traffic came from video streaming and file sharing websites that used URL shorteners.

The campaign used advanced fingerprinting techniques to profile its victims to determine what kind of payload would be appropriate. For example, Mac users received a page showing fake updates that pretended to be from Apple, and Google Chrome users received malicious Chrome extensions that collect the user’s data on every website they visit. Tech support scams and exploit kits like Rig and Magnitude EKs were also seen being delivered in this campaign.

The campaign also hid their activity within Amazon’s Content Delivery Network (CDN) and using multiple redirects across different advertisers, which made pinpointing the origin of the malware more difficult for researchers.

Enabling the TSCritical General and TSCritical Ransomware IP Addresses targets in policies for ThreatSTOP DNS Firewall Service and IP Firewall Service protects against campaigns like RoughTed. If you do not have a ThreatSTOP account, Sign up for a free trial.

If you do have a ThreatSTOP account, instructions to add targets to a DNS or IP Firewall policies are available on the ThreatSTOP Documentation Hub. Or contact our Support team.