Another Massive Advertising Attack Exposed


The latest malvertising scheme, which ran on both large and small ad networks, ran for almost three weeks, according to Malwarebytes

Security researchers have uncovered a major malware advertising campaign that ran undetected for several weeks on a number of online ad networks potentially affecting millions of users’ systems.

Malwarebytes, which discovered the campaign, said it used a number of advanced tricks to avoid detection, with unusual care taken by those behind it to pose as legitimate advertisers.

Undiscovered attack

cisco“Despite its large scope and impact, it ran mostly uninterrupted for almost three weeks, according to telemetry data we were able to mine once we uncovered the scheme,” Malwarebytes said in an advisory.

Users who encountered the malicious ads were linked to a widely used exploit kit called Angler which attempted to carry out fraud schemes or install ransomware on the system. Ransomware typically encrypts a system and then demands payment to unlock the data.

The campaign ran on major websites including eBay UK, The Drudge Report and TalkTalk, and advertising networks including DoubleClick’s EMEA network, Malwarebytes said. DoubleClick did not immediately respond to a request for comment.

The attackers took an unusual degree of care in concealing themselves, refraining from implanting malware in the ads themselves and making use of web addresses that had been registered for years, some of which were even registered with the Better Business Bureau. They submitted their ads through standard ad bidding schemes.

“This decoy worked well enough to fool many ad networks with direct ties to the major ones in the online ad industry,” Malwarebytes wrote. “The ads themselves were not booby trapped at all, which again made it more difficult to spot something suspicious.”


The attackers used encrypted traffic and URL shorteners, amongst other means, to conceal the fact that traffic was being redirected to malicious servers, the firm said.

The company argued that such schemes are continuing to be successful in part because advertisers are allowed to serve their content from their own systems, giving them complete control over the ad-serving process and thus a direct link to those viewing the ads.

“The ad could be clean or booby trapped, but the rogue actors are in full control of the delivery platform and can instruct it to perform nefarious actions that will easily bypass most security checks,” the firm said

Malwarebytes said the numerous attacks using major websites and ad networks that have been reported in recent weeks are only the “tip of the iceberg”.

“There are some campaigns that are so advanced that no one will ever see or hear about them,” the firm stated.

Are you a security pro? Try our quiz!

Click to read the authors bio  Click to hide the authors bio