Malvertising Campaign Hits Top Dutch Sites

Matthew Broersma,
malware

Campaign utilising malicious ads has hit most of the Netherlands’ most popular websites, affecting millions of users

A new malicious advertising campaign has infected millions of users in the Netherlands through one of the country’s most popular online portals.

The campaign began to spread on Sunday and affects at least 288 sites, including Nu.nl, the most-visited Dutch-language news portal, according to IT security specialists Fox-IT.

HSBC

Top sites hit

Web analysis firm SimilarWeb estimates that Nu.nl alone had more than 50 million visitors in March. Other affected sites include eBay-style service Marktplaats.nl and well-known news and culture sites, Fox-IT said.

The company said it initially began noticing a rise in security incidents involving exploit kits, and traced the incidents to malware being spread via an advertising provider used by many well-known sites.

The firm contacted the advertising provider, which has begun blocking the malicious web addresses involved.

While the malicious code is now being filtered, Fox-IT said the malicious sites remain active.

“They will be tracking down the affected content provider as this issue has not been fully resolved,” the company said in an advisory.

Complex attack

The campaign bypassed ad network filters by using Internet addresses that loaded external scripts which in turn further redirected traffic toward exploit kits including one known as Angler, Fox-IT said.

Outbreaks of malicious advertising are a growing problem, as criminals find ever-more-sophisticated ways of evading security checks and spreading malicious code to users via top advertising networks.

Last month visitors to the websites of The New York Times, the BBC, MSN, AOL and other well-known sites were exposed to malicious ads that used the Angler exploit kit to spread a type of ransomware called Teslacrypt.

UK targeted

Security researchers found that the attack built up slowly over time, before becoming more visible when higher-profile publishers were targeted.

“It’s important to note that while these popular sites are involved in the infection process they are, much like infected clients, victim of malvertising,” said Trustwave’s SpiderLabs Research at the time.

Exploit kits such as Angler run on web servers and identify software vulnerabilities in client systems, which can then be exploited to install malicious code of the attacker’s choice on that system.

Previous research from Malwarebytes found that the UK is the world’s third-largest target for malicious ad infections, behind only the US and Canada.

Are you a security pro? Try our quiz!