Security Experts:

Connect with us

Hi, what are you looking for?


Malware & Threats

Major Malvertising Operation Went Undetected for Three Weeks

A malvertising campaign affecting the websites of several major companies went undetected for almost three weeks, according to antivirus firm Malwarebytes.

A malvertising campaign affecting the websites of several major companies went undetected for almost three weeks, according to antivirus firm Malwarebytes.

Malvertising operations have become increasingly common because they allow cybercriminals to push malware onto victims’ computers without having to trick them into downloading email attachments or clicking on links.

The latest attack observed by Malwarebytes managed to stay under the radar for almost three weeks because the attackers used some clever techniques to avoid detection.

First of all, they registered on various ad platforms using companies that appeared legitimate — their websites had been created years ago, and some of them were even listed by the Better Business Bureau. The attackers managed to trick many advertising networks, including ones that had ties to major industry players such as DoubleClick, AppNexus, engage:BDR, and ExoClick.

As a result, the malicious advertisements reached the visitors of many high-traffic websites, including eBay, Drudge Report,, eHow Espanol, TalkTalk, News Now, and Manta.

Once they tricked ad platforms into thinking that they were representing legitimate companies, the cybercriminals used real-time bidding to push their ads. One of the factors that made this campaign difficult to spot was the fact that the advertisements themselves were not malicious, Malwarebytes explained.

The attackers had been able to redirect victims to their malware-serving websites by loading the ads directly from a rogue ad server. Users were taken via URL shorteners or custom APIs to Angler exploit kit landing pages set up to push ransomware or ad fraud malware by exploiting vulnerabilities in unpatched software.

According to Malwarebytes, the highest number of users who accessed the exploit kit landing pages were located in the U.S. (46%) and the U.K. (36%). The security firm alerted advertisers and they took steps to disrupt the campaign.

“While malvertising has made headlines during the past few months, the attacks that are documented publicly are only the tip of the iceberg. There are some campaigns that are so advanced that no one will ever see or hear about them, which is exactly what threat actors are hoping for,” Jérôme Segura, senior security researcher at Malwarebytes, wrote in a blog post.

“This particular case is a good illustration of why screening advertisers is so important, especially when they are allowed to host and serve the ad content themselves. The ad could be clean or booby trapped, but the rogue actors are in full control of the delivery platform and can instruct it to perform nefarious actions that will easily bypass most security checks,” the expert added.

Written By

Eduard Kovacs (@EduardKovacs) is a contributing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.

Click to comment

Expert Insights

Related Content

Malware & Threats

Microsoft plans to improve the protection of Office users by blocking XLL add-ins from the internet.


CISA, NSA, and MS-ISAC issued an alert on the malicious use of RMM software to steal money from bank accounts.


Chinese threat actor DragonSpark has been using the SparkRAT open source backdoor in attacks targeting East Asian organizations.

Malware & Threats

Norway‎-based DNV said a ransomware attack on its ship management software impacted 1,000 vessels.

Application Security

Electric car maker Tesla is using the annual Pwn2Own hacker contest to incentivize security researchers to showcase complex exploit chains that can lead to...

Malware & Threats

Cybercrime in 2017 was a tumultuous year "full of twists and turns", with new (but old) infection methods, a major return to social engineering,...

Malware & Threats

Fortinet warned of three malicious PyPI packages containing code that fetches the Wacatac trojan and information stealer.


The recent ransomware attack targeting Rackspace was conducted by a cybercrime group named Play using a new exploitation method, the cloud company revealed this...