Categories: SecurityWorkspace

Kyle and Stan Malvertizing Network Poses a Major Risk

Research from a newly formed security intelligence group at Cisco has revealed  a large malvertising network that is impacting well-known domains, including Amazon, Yahoo and YouTube. The malvertising network has been named “Stan and Kyle” and is likely a reference to the popular Comedy Network cartoon “South Park.”

Malware-infected online advertising, typically referred to as malvertising, is an increasingly growing threat. In a malvertising attack, online ads are infected with some form of malware that redirects users to unintended locations, in many cases dropping malicious downloads in the process.

Armin Pelkmann, threat researcher in the Talos Security Intelligence and Research Group at Cisco, explained to eWEEK that when Talos first observed the malvertising attack, it found “Stan” and “Kyle” subdomains. Domains of that style make up more than a third of the total of domains found.

“So we can only assume that the attackers are fans of that show and used ‘South Park’ names for their scheme,” Pelkmann said.

Talos is a recently formed group within Cisco that consolidates several different prior research efforts. Pelkmann noted that the Talos Security Intelligence and Research Group is made up of leading threat researchers supported by sophisticated systems. Talos maintains the official rule sets of Snort.org, ClamAV, SenderBase.org and SpamCop.

“Talos’ renowned security experts are a combined team from Sourcefire’s Vulnerability Research Team, Cisco’s Threat Research and Communications (TRAC) and Cisco Security Applications group,” Pelkmann said. “The team’s expertise spans software development, reverse engineering, vulnerability triage, malware investigation and intelligence gathering.”

Stan and Kyle’s Neighborhood

According to the Talos research, there are now 6,491 malicious domains that are part of the Kyle and Stan malvertising network. What is not definitely known at this point is precisely how many malicious ads have been served by Kyle and Stan.

“Only the people running the exploited ad networks can with 100 percent accuracy answer this,” Pelkmann said.

Talos has shown that some of the biggest Websites on the Internet were abused by this attack, he added. Though an attack might only last for a few minutes before being detected and shut down, Pelkmann warned that the impact could potentially reach millions.

At the root of the Kyle and Stan malvertising attack is JavaScript code that is injected into an online advertisement that redirects users.

“You are surfing on a trusted Website—and, boom, without clicking on anything, you are on a malicious Website that offers you a malware download or starts the download for you already,” Pelkmann said. “And the attack is smart because it finds out what operating system and browser you are using to deliver you a piece of malware that will work on your platform.”

The Kyle and Stan malvertising effort is actually using legitimate advertisement networks that can be used to display information on the big sites of the Internet. The malicious ad takes the user from the safe place, through a number of redirects, to malicious Websites that are hosting the malware to infect the users.

At this point, there are some indications on possible attribution for who is behind the Kyle and Stan attack. In the “South Park” TV show, the Cartman character is often involved in various bad efforts.

“When in doubt, it is pretty safe to assume that Cartman has something to do with it,” Pelkmann joked.

On a more serious note, Pelkmann said that Amazon Web Service and a Spanish service provider’s network have been used for most of the attack’s infrastructure.

“We are working with the industry to shut down the malvertisement network,” Pelkmann said.

How much do you know about hacking? Take our quiz!

Originally published on eWeek.

Sean Michael Kerner

Sean Michael Kerner is a senior editor at eWeek and contributor to TechWeek

Recent Posts

Samsung Touts AI Features With Galaxy S25 Smartphones

Launch of Samsung's Galaxy S25 Ultra, Galaxy S25+ and Galaxy S25 sees the handsets described…

2 hours ago

LinkedIn Sued Over Alleged Use Of Private Messages To Train AI

Microsoft's LinkedIn sued for allegedly using customer data, including private messages, to train AI models…

4 hours ago

Amazon To Shutter Sites In Unionised Province In Canada

1,700 jobs to be lost in Quebec, as Amazon says it will close seven sites…

19 hours ago

Google Wins UK Injunction To Halt Russian Enforcement Of Judgements

Google wins permanent injunction from London's High Court to prevent enforcement of Russian YouTube judgements

21 hours ago

Tech Giants Announce $500 Billion AI Plan In US

OpenAI, SoftBank, Oracle and others form joint venture called 'The Stargate Project' – to build…

22 hours ago

CMA Chair Replaced By Government Amid Growth Drive

Government replaces chairman of the competition watchdog with former Amazon boss, amid Labour's “growth” drive…

23 hours ago