Hackers Use Adf.ly To Deliver a New Tinba Variant
If you visit adf.ly links often, there is a huge chance that you are infected with a new variant of Tinba banking malware.
Researchers at security firm Malwarebytes have observed the Timba variant being distributed via the HanJuan Exploit Kit as part of a malvertising attack that involves advertising and URL shortening service Adf.ly.
When a user visits a malvertised Adf.ly link, the HanJuan EK loads and fires Flash Player (CVE-2015-0359) and Internet Explorer (CVE-2014-1776) exploits. Then it drops the banking malware onto users' disk.
"The payload we collected uses several layers of encryption within the binary itself but also in its communications with its Command and Control server. The purpose of this Trojan is information stealing performed by hooking the browser to act as a man-in-the-middle and grab passwords and other sensitive data," said Jerome Segura, senior security researcher at Malwarebytes.
How To Protect Yourself
If you want to protect yourself from malvertising attacks, you should disable Flash Player in web browsers or install Anti-exploit on your computer.
Most important thing is....you must install patches and updates regularly.
We are sorry for the inconvenience but this is something AdFly is obviously not letting happen on purpose. We count with several methods to prevent fraudulent advertising, unfortunately (and very ocassionally) if a fraudulent advertising changes the redirection of a campaign after been reviewed by us, this is a possibility.
ReplyDeleteThis specific campaign has been located now and cancelled.
We normally ask our users to report malicious ads to the email abuse@adf.ly providing the IP address that has seen it at least in the last 48 hours. This should allow us to track it and in most of the cases suspend the advertiser's account.