<span id="hs_cos_wrapper_post_body" class="hs_cos_wrapper hs_cos_wrapper_meta_field hs_cos_wrapper_type_rich_text" style="" data-hs-cos-general-type="meta_field" data-hs-cos-type="rich_text" ><p><img src="https://info.threatstop.com/hubfs/Article%20Internal%20Images/RoughTed/RoughTed.jpg" alt="RoughTed.jpg" style="display: block; margin-left: auto; margin-right: auto;" width="455" height="307">One family of malware that even the most vigilant of users has to be careful of is malvertising. Malvertising's dangers come from the fact that malware infection can occur from visiting a common legitimate website, as the malware is embedded within the ads on the website, rather than the website itself.<!--more--></p> <p>A simple solution that people have used to mitigate this threat was to just block online advertisements altogether. However, the discovery of the <strong>RoughTed</strong> malvertising campaign shows that cybercriminals are constantly changing their tactics in order to find holes in a user’s defenses.</p> <p><a href="https://blog.malwarebytes.com/cybercrime/2017/05/roughted-the-anti-ad-blocker-malvertiser/">Researchers at Malwarebytes</a> showed how even users with popular ad-blockers such as <a href="https://adblockplus.org/">Adblock Plus</a> and <a href="https://www.ublock.org/">uBlock Origin</a> were susceptible to malvertising redirects from websites affected by the <strong>RoughTed</strong> campaign.</p> <p>They also noted the large scale of the campaign, with more than half a billion hits to infected domains in the span of just three months. Much of the campaign’s traffic came from video streaming and file sharing websites that used URL shorteners.</p> <p>The campaign used advanced fingerprinting techniques to profile its victims to determine what kind of payload would be appropriate. For example, Mac users received a page showing fake updates that pretended to be from Apple, and Google Chrome users received malicious Chrome extensions that collect the user’s data on every website they visit. Tech support scams and exploit kits like <strong><a href="https://blog.threatstop.com/rig-exploit-kit-takedown-operation-shadowfall" target="_blank" rel="noopener">Rig</a></strong> and <a href="/magnitude-ek-whats-shakin" target="_blank" rel="noopener"><strong>Magnitude EKs</strong></a> were also seen being delivered in this campaign.</p> <p>The campaign also hid their activity within Amazon’s Content Delivery Network (CDN) and using multiple redirects across different advertisers, which made pinpointing the origin of the malware more difficult for researchers.</p> Enabling the <strong>TSCritical General</strong> and <strong>TSCritical Ransomware IP Addresses</strong> targets in policies for ThreatSTOP DNS Firewall Service and IP Firewall Service protects against campaigns like <strong>RoughTed</strong>. If you do not have a ThreatSTOP account, for a free trial. <p><span id="hs_cos_wrapper_post_body" class="hs_cos_wrapper hs_cos_wrapper_meta_field hs_cos_wrapper_type_rich_text" data-hs-cos-general-type="meta_field" data-hs-cos-type="rich_text">If you do have a ThreatSTOP account, instructions to add targets to a <a href="http://dochub.threatstop.com/display/TS/ThreatSTOP+DNS+Firewall#ThreatSTOPDNSFirewall-DNSFWPolicy">DNS</a> or <a href="http://dochub.threatstop.com/display/TS/ThreatSTOP+IP+Firewall">IP</a> Firewall policies are available on the ThreatSTOP Documentation Hub. Or contact our&nbsp;&nbsp;team.</span></p></span>
![Bad Domain of the Week: D-D-Don't mess with ddd[.]com](https://www.threatstop.com/hs-fs/hubfs/ddd.png?width=600&name=ddd.png)
