It's a perfect storm of Internet iniquity: A three-month-old malvertising campaign is exploiting two recently discovered Adobe Flash Player flaws to infect people's computers with ransomware. If you're counting, that's three cybercrime buzzwords in one — and the result is a dire threat that may have affected popular websites such as the Huffington Post and Answers.com.
The malvertising campaign, dubbed Fessleak after an email address used to register malicious domain names associated with the campaign, began in mid-October and initially used a Windows flaw to infect PCs with what Fairfax, Virginia-based security company Invincea called "advanced ransomware."
But after Microsoft patched that flaw Jan. 13, Fessleak switched to running ads that exploited first one, then another, Adobe Flash Player zero-day flaws — so called because attackers discovered and used them first, giving Adobe zero days to patch its software. (Both flaws have since been patched.)
Invincea, which chronicled the malvertising campaign in a blog post Feb. 4, the same day Adobe patched the second flaw, said that Fessleak can even detect when its malware dropper attempts to run in a virtual container, an isolated environment that security researchers use to study malware.
If Fessleak detects a virtual container, its dropper will shut down, which may be why Invincea didn't name the specific kind of ransomware involved. Similar malvertising campaigns have infected users with the Reveton strain of "police" ransomware, which tells victims they face prosecution for harboring pirated files or pornography unless they pay "fines" immediately.
Malvertising refers to when online criminals slip malicious advertisements into legitimate ad networks that feed ads to widely viewed websites. These malicious ads then appear in the browsers of people who visit these sites, which can trigger malware infections.
Because it spreads via ad networks, Fessleak has affected many high-profile websites, including the Huffington Post and the New York Daily News. Sites hit since the Adobe flaws were introduced include Answers.com and Thesaurus.com.
Malvertising campaigns such as Fessleak can be difficult to curb.
"It is important to note that the sites from which the malvertising were delivered are by and large unaware that their sites were used for delivering malware, and largely unable to do anything about it," Invincea notes.
Although these two latest Flash zero-days have been fixed, they won't be the last of their kind. To protect yourself against future attacks, you may want to disable Flash in your browser, or at least set Flash to Click to Play. This way, you can activate only the ads or videos using Flash that you wish to see, and the others will remain disabled.