Malware Attack on MadAds Sets Victims Against Each Other

Malware MadAds MediaThe attack on MadAds Media this Saturday was the latest in a series of malware incursions which are becoming increasingly more complex, not only damaging by virtue of the theft of information, but because the victims are being set against each other rather than the perpetrators. Saturday’s assault, which saw thousands of websites thrown into turmoil, is one of many such attacks which are becoming seemingly commonplace.

That is, according to some analysts, one of the most dangerous aspects of the phenomenon, with potentially huge financial ramifications. The affected sites suffered the loss of traffic, and thus revenues, when their sites were identified as being vehicles for this most recent attack. This is despite the fact that those sites were immediately identified as not having anything to do with the pernicious software. If those responsible for the attack are able to create a lack of consumer confidence in the online marketplace for goods and information, the identity theft aspect of the malware infestation may be only a small part of the potential losses incurred.

Saturday’s attack became known when thousands of publishers using the MadAds Media service were blocked on some browsers by Google and their Safe Browsing software. Traffic to the sites virtually stopped as those attempting to access the content were warned against entering the sites, told that doing so could cause visitors to be subject to malware attack. There were multiple victims in this crime. From those whose information may have been compromised by the infection to the publications that had suspect ads on their sites and the browsers which blocked the sites, all were led by circumstances to set the blame on each other. Many of the affected sites immediately voiced criticism for Google, who felt they were making the right move to protect their own client base from the detected malware. Although the language used in the warnings issued has been challenged as directing blame at the host websites, most of those impacted have not accused the company of deliberately inflicting harm.

Attacks like these are designed to create just that kind of reaction. The type of damage being done, along with the complexity of the methods and technology, lends credibility to the assertion that many of these malware campaigns are the work of state-sponsored programs. At the end of January, Bank of America Corporation and several other financial companies in the United States (US) were victims of a cyber-assault which is believed to have originated with members of Hamas in Palestine. Kaspersky, internet security giant, issued a recent report about another threat which they describe as being born of resources and a tool set that they estimate could only have been provided by a nation-state. They report that this threat, called Careto, has made incursions in at least 31 countries. That malware campaign, also called Mask, attacked several publications, including The Washington Post. While that particular threat appears to have shut down operations in response to the ongoing investigations and information release by Kaspersky, this weekend’s attack on publishers is similar enough in methodology, if not scope, to raise questions about the next potential targets.

The information-gathering capabilities of the malware involved in these attacks seem almost secondary to their ability to erode confidence in trusted information sources. In a country where freedom of speech and information is a fundamental principle, undermining public trust in their information sources is a motive that many consider viable when considering the possible involvement of nation-states. Regardless of whether or not this most recent MadAds issue originated from a state agency, the same pattern of fingers being pointed everywhere but the source has emerged.

The prevailing attitude which has arisen is that these malware campaigns are unavoidable, and almost an inherent part of the cyber landscape. With no specific target for the collective ire, backlash has tended to be against the very sites who were targeted. For that reason, many sites which were impacted have chosen to speak very little, if at all, about Saturday’s events. While understandable, that choice also appears to benefit those who initiated the malware incursion more than anyone else. According to the Kaspersky report, the Careto campaign used techniques which would have been foiled in most cases by having the most recent updates to their software. The originators depended on out-of-date software on the computers of their targets. The prevailing attitude of distrust, combined with a belief that there is no avoiding these types of problems, contributed to their ability to do that.

The Guardian Liberty Voice was among the publications hit on Saturday, as MadAds Media is one of the providers of advertising content on the site. Rather than aid in the process of setting victims of the malware attack against each other, the publication has chosen to report openly about the events of the day. There is no way to go back and erase the damage done by the assault, but allowing the perpetrators to succeed in stemming the flow of ideas and information would be counter-intuitive, and unproductive at best. If even the most sophisticated of malware campaigns can be undone by a more widespread understanding of what can be done to protect against them, then an unabated flow of information would appear to be the best way to guard against future challenges to the integrity of online institutions both in the US and abroad.

By Jim Malone

Also see:

GuardianLibertyVoice

Sources:
ArsTechnica
Techworm
Bloomberg
WashingtonPost
Kaspersky