Visitors to the Website of German broadband provider T-Online have been the target for an advanced 'malvertising' attack employing malicious banking Trojans to infect user machines, according to research by security company Invincea.
The firm says that for much of the past week, visitors to T-Online’s site were hit with ads dropping sophisticated rootkit / banking Trojan and click-fraud malware in intricate attacks designed to steal financial information, gain persistent footholds on victim PCs and hijack them for additional fraudulent activity.
The cyber criminals configured their malicious ads to employ just-in-time (JIT) malware assembly on victim machines and incorporated Windows utility-based scripting in order to evade traditional endpoint and network defenses.
"It is likely that thousands of T-Online users have been impacted by this malvertising campaign," says Invincea. "The ISP’s site is ranked the tenth most popular website in Germany, and 296th worldwide according to Alexa, making it the type of high-traffic domain coveted by malvertising actors."
The Trojans are related to Tinba, the “Tiny Banking” Trojan and rootkit family, which persists on the host and captures online banking credentials. In addition to banking Trojans, Bedep click-fraud bots were also delivered, which would turn an endpoint into a “zombie host” that would secretly click advertisements in an invisible browser, in order to generate fraudulent advertising revenue