Security awareness programs usually focus on telling employees about safe email practices and passwords, and less about identifying and staying away from dangerous Web sites. However, browsing the wrong sites can have just harmful effect on the enterprise as clicking on a malicious attachment.
That came to mind with the release Tuesday of a blog from Malwarebytes warning that Canadians and people living in the U.K. are apparently the biggest targets of a recent malvertising campaign distributing the Ranmit Trojan, which steals data such as banking and FTP credentials.
Their sin? Visiting adult Web sites.
“Malicious actors are using pop-under ads (adverts that load in a new browser window under the current active page) to surreptitiously redirect users to the RIG exploit kit” that includes Ramnit, says the blog by Jerome Segura, Malwarebytes lead intelligence analyst, who is based in British Columbia.
Pop-under ads are usually triggered when a user clicks on an item on the site they are browsing In this campaign, clicking on one of the category thumbnails on a page launches the pop-under window behind the main page.
What Segura found that while benign adult content loads there is also a redirect to a malicious site which does some geo-location fingerprinting to confirm a Canadian or U.K. user has clicked on an item. If so, the RIG exploit kit is delivered. Non- Canada/U.K. visitors were fed a bogus offer instead of the exploit kit, Segura’s tests found.
In a separate blog Segura warned Canadian smart phone owners that in addition to email, SMS is still being used for phishing attacks. He cited a recent campaign purporting to be from the Royal Bank with a message “Activities in your RBC account is unusual,” with a link to click on. That leads to a real-looking but phoney login page that asks for many credentials including driver’s license, phone number, all three security questions to gain access to a victim’s account. The bank has been notified and the web site blacklisted.
The adult website campaign marks the return – again – of the Ramnit botnet. First seen in 2010, it was taken down in 2015 but was revived last year. When we wrote about that takedown an IBM report said 55 per cent of victims were from Canada, with others stung in Australia, the U.S. and Finland.
This particular campaign victimized the ExoClick ad network, which has been warned by Malwarebytes about the problem and has stopped the fraudulent advertiser.
In an interview this morning Segura couldn’t explain why this particular campaign is aimed at Canada and the U.K.
Regardless of the reason infosec pros have to make sure all computers under their control are patched. “There is no social engineering involved,” Segura points out. The exploit kit leverages browser and Adobe Flash vulnerabilities.
In addition if security policies allow end user systems should be equipped with ad blockers, he said.
CISOs have to remember that security awareness training is not only about changing behavior in the office, but also on the road and at home – regardless of whether the employee is using a company provided device or their own.
It seems trite to tell staff going even to a seemingly soft core porn site is likely dangerous but many still aren’t getting the message.