Malvertising Hits Top Celebrity News Site

Tuesday, May 10, 2016

Ionut Arghire


Malvertising, the malicious activity that involves spreading malware via online advertising, has been trending up over the past few years, and 2016 might become a record-breaking year for it, Cyphort Labs researchers suggest.

Based on the pace at which unique domains used in malvertising have been found since the beginning of the year, Cyphort Labs estimates that 2016 will top 2100 unique domains, more than double compared to 2014. The growing trend was observed last year as well, when the number of unique domains used in malvertising and tracked by the security company reached 1654.

Because millions of users trust high-trafficked, clean sites, malvertisers have started to target them more often, because they promise wider reach and higher success rate for infection. Last year, malvertising campaigns were observed hitting the Yahoo! advertising network, as well as various well-trafficked sites from around the world, including eBay,, and TalkTalk.

Earlier this year, security companies noticed that top global sites were hit in a malvertising campaign leveraging the Angler exploit kit (EK), including,,,,, and others. Now, Cyphort researchers reveal that, which has around half a million daily users, was the most recent target of a malvertising attack.

The Cyphort researchers first noticed that the site was redirecting users to the Angler EK on April 30, 2016, and that the CryptXXX ransomware was being installed on the victim’s machines following the attack. The rogue advertiser in this campaign was, also used in another operation targeting visitors of KMOV and WBTV, two CBS affiliated TV stations.

In that attack, detailed by Malwarebytes last week, attackers were abusing the Taggify self-serve ad platform, while also hijacking GoDaddy accounts to create various subdomains pointing to malicious servers. While the main malvertising domain was parked, the subdomain was hosting an ad banner that would redirect users to Angler.

The redirector was used by other popular websites in early May as well, Cyphort says. Furthermore, was targeted again on May 6. The second time, however, attackers used the and redirectors, and were abusing Amazon Cloudfront CDN to distribute a different Exploit Kit.

“Malvertising continues to be one of the preferred vectors for attackers to compromise users’ machines with malware. Many users fought back by disabling all advertising to secure themselves. Nearly 200 million now use Adblock, according to Statista. In 2015, this form of ad blocking cost publishers nearly $22 Billion dollars,” researchers say.

In September last year, even Forbes was hit by a malvertising campaign launched through a third-party advertising service. According to FireEye researchers, might have redirected its visitors to Angler and Neutrino EKs between September 8 and September 15.

Related: Malvertising Campaign Abuses Baidu Ad API

Viruses & Malware
Post Rating I Like this!
The views expressed in this post are the opinions of the Infosec Island member that posted this content. Infosec Island is not responsible for the content or messaging of this post.

Unauthorized reproduction of this article (in part or in whole) is prohibited without the express written permission of Infosec Island and the Infosec Island member that posted this content--this includes using our RSS feed for any purpose other than personal use.