Connect with us

Hi, what are you looking for?



Massive Malvertising Campaigns Hit Sites Worldwide

Recently observed malvertising campaigns leveraged the same redirection gate to take users from all around the world to the landing page of the Neutrino exploit kit, Cisco Talos researchers reveal.

Recently observed malvertising campaigns leveraged the same redirection gate to take users from all around the world to the landing page of the Neutrino exploit kit, Cisco Talos researchers reveal.

Just as other malvertising campaigns, these operations involved malicious ads, an initial redirection point or gate, and an exploit kit to infect users with malware. In these campaigns, Cisco reveals, the redirection was performed through ShadowGate / wordJS, called this way because it uses domain shadowing to host its activity.

The gate has been observed for the first time in 2015 and stands out not because of the high volume of traffic it registers, but because only a small fraction of the interactions with it actually lead to infection. Another particularity of this gate is that it tends to go dark for random periods of time, after which it returns and continues redirecting users to exploit kits (EKs).

Originally redirecting to Angler, the gate’s traffic is not bound to Neutrino, Cisco says. While ShadowGate has used numerous domains over the past year, it has used only several during the month of August, including: merrybrycemas[.]com, hillarynixonclinton[.]net, phillyeagleholic[.]com, eagleholic[.]com, and hillarynixonclinton[.]com.

The gate isn’t sophisticated, researchers say. An iframe is set to be rendered “several feet to the left and several feet above the screen,” leading to a page associated with Neutrino. There, the EK landing page checks whether Flash is installed and a Flash exploit is served. Thus, if Adobe Flash Player is not installed on the target machine, the infection doesn’t take place.

One of the malicious ads used in this campaign was observed on a site related to precious metals and their values, goldseek[.]com, and it had the iframe that is typical to the campaign. Further analysis revealed that a wide range of sites were compromised, including several Chinese sites that are related to Information Technology, such as 51cto[.]com and elecfans[.]com.

According to Cisco, they “rarely find examples of full Chinese language sites serving malicious ads and compromising users via exploit kit gates.” Other Chinese and New Zealand sites were also impacted, including theregister[.]co[.]nz. This site, researchers say, also showed SSL traffic involved, which suggested that an ad stream might have been compromised, as opposed to a single malicious ad being used, mainly because all ads had the malicious iframe added to them.

Advertisement. Scroll to continue reading.

After discovering hundreds of similar cases for compromised New Zealand and Australian sites, researchers discovered that the Middle East was also impacted, such as alhilal[.]com, a website for a football/soccer team based out of Saudi Arabia (the site is in full Arabic).

Next, the malicious ads were found on the website of a major US University, the Newspaper webpage for a large US city, a Polish forum for bicycle enthusiasts, and the website for a large city in Canada. Pages associated with financial information, gun auctions/sales, and smoking enthusiasts, as well as instances related to “Adult” websites were also found.

“Once the investigation was complete Talos had found a sophisticated, global, diverse malvertising campaign that potentially could have impacted millions of users based on the reach and popularity of the sites they impacted. It widely affected Europe, Asia Pac, Middle East, and United States. This was a global attack indiscriminately compromising users around the world,” researchers say.

Working together with GoDaddy, because this was the registrant for domains hosting ShadowGate, the researchers were able to mitigate the threat. The malvertising campaign appears to have been shut down and the malicious activity stopped. However, researchers fear that the campaign will reemerge after staying dormant for a little while.

After shutting down this nefarious activity, Cisco observed a second malvertising campaign, using a different set of registrant accounts and targeting Europe, with many Italian, Spanish, Bulgarian, Swedish, and Slovakian sites impacted by it. Several Israeli sites were also seen serving the malicious ads, researchers say. Although the URL structure changed after the initial takedown and the syntax had a couple of subtle variations, researchers were able to gather enough information on the campaign to take it down as well.

“Just like any other portion of an exploit kit infection chain, the adversaries will continue to evolve,” Cisco’s researchers note. “Users aren’t left with a lot of options related to this threat. Ad blockers are an option, but as we’ve seen some sites are already taking a stand against ad blockers because they eliminate a primary revenue stream. In the case of Neutrino, users can simply uninstall Adobe Flash from their systems entirely. This is yet another reason to remove a plugin that is increasingly becoming obsolete in regards to rendering the images, games, and videos on the Internet today.”

Related: Malvertising Campaign Hits Top Global Websites

Written By

Ionut Arghire is an international correspondent for SecurityWeek.

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

SecurityWeek’s Threat Detection and Incident Response Summit brings together security practitioners from around the world to share war stories on breaches, APT attacks and threat intelligence.


Securityweek’s CISO Forum will address issues and challenges that are top of mind for today’s security leaders and what the future looks like as chief defenders of the enterprise.


Expert Insights

Related Content


The changing nature of what we still generally call ransomware will continue through 2023, driven by three primary conditions.


Luxury retailer Neiman Marcus Group informed some customers last week that their online accounts had been breached by hackers.


As it evolves, web3 will contain and increase all the security issues of web2 – and perhaps add a few more.


A recently disclosed vBulletin vulnerability, which had a zero-day status for roughly two days last week, was exploited in a hacker attack targeting the...


Satellite TV giant Dish Network confirmed that a recent outage was the result of a cyberattack and admitted that data was stolen.


Zendesk is informing customers about a data breach that started with an SMS phishing campaign targeting the company’s employees.

Artificial Intelligence

The release of OpenAI’s ChatGPT in late 2022 has demonstrated the potential of AI for both good and bad.

Artificial Intelligence

The degree of danger that may be introduced when adversaries start to use AI as an effective weapon of attack rather than a tool...