A number
of popular, high-profile websites have become targets of an extensive
malvertising campaign. The websites attacked include many big names such as
MSN, AOL, BBC, and The New York Times. Remember, this is not the first time for
MSN to serve malicious adverts. In January 2015, the portal was dropping malware user PCs
part of a sophisticated malvertising campaign.

Malwarebytes reported
that the malicious ads appeared out of nowhere and suddenly all the big
publishing house websites got hit by it. The list of websites is pretty long as
it included,
etc., apart from the ones mentioned above.
This new
wave of malvertising campaign involves installation of crypto-ransomware along
with other malware through adverts on these websites. When users visit these
sites, the malware easily gets
transferred onto the users’ computer system.
such tainted ads, computers of hundreds and thousands of internet users have
become affected. The malvertising campaign was identified by security firm Trend
 and the details were revealed in its official
blog post.
How it all started?
This campaign started off previous week with
laced banner ads being pushed via an infected ad network and spread through Angler
, Microsoft Silverlight and similar commonly used
SpiderLabs group
published a blog post in which it was revealed that a JSON-based file is being
distributed through these tainted ads. The file contains around 12,000 lines of
code. When deciphered by security researchers, it was discovered that this
obfuscated code enumerated a wide range of security tools and protocols, which
it can avoid to remain unidentified.
According to Dabiel
Chechik, Rami Kogan and Simon Kenin from SpiderLabs: “If the code doesn’t find
any of these programs, it continues with the flow and appends an iframe to the
body of the HTML that leads to Angler EK [exploit kit] landing page. 
Upon successful exploitation, Angler infects the
poor victim with both the Bedep trojan and the TeslaCrypt ransomware–double the
The infected ads aren’t
only appearing on publishers or news websites but also on sites like and
The domains from which
these ads are being launched are associated with infected ad networks such as
the most commonly appearing domain name is brentsmedia[.]com.
trackmytraffic[c], biz and talk915[.]com, evangmedia[.]com and
It is being speculated by
researchers that the attackers are making use of domain names that contain the
term Media to make their infected domains appear as legitimate.
How to stay protected?
This campaign, however,
highlights the important role that smart browsing plays in preserving our
privacy and security while surfing the web. To avoid being exploited by
malicious actors, security experts urge users to decrease their “attack
surface,” which refers to uninstalling software like Oracle Java, Adobe Flash,
Microsoft Silverlight, etc. In fact, users must delete all kinds of third party
browser extensions that are unnecessary. Moreover, to ensure safe browsing,
users must immediately install updates using the 64-bit Chrome version.

via Blogger