Top Trustworthy sites such as The New York Times, BBC, MSN, AOL and many more are on the verge of losing their face value as a malwertized advertisement campaign are looming around the websites, according to SpiderLabs.
Here's what Happens to Users when Clicking Ads on these Big Brand Sites:
The advertisements on the legit sites trick users into clicking on it, making them believe that these circulated ads come from a trusted networks.
Once clicked, the malicious Ad redirects the user to a malicious website that hosts Angler Exploit Kit (AEK) to infect visitors by installing malware and ransomware on their computer.
Angler Exploit Kit includes many malicious hacking tools and zero-day exploits that let hackers execute drive-by attacks on visitors' computers.
In this case, the Angler kit scans for the vulnerable PCs and loads Bedep Trojan and TeslaCrypt Ransomware, opening doors for hackers to further install a variety of malicious programs.
Buying Media-Related Domains to Spread Malicious Campaigns
While conducting the background check, the security firm discovered that cyber criminals behind this advertising campaign made use of an expired website domain of Brentsmedia, an online marketing solution who discontinued their service earlier 2016.
According to the web registrar records, Brentsmedia's domain was purchased by Pavel G Ashtahov on March 6th, the day just before the malvertising campaign kickstarted.
If any of the pre-defined products found installed, the malvertising Ads avoid loading the malicious payload to evade the detection by antivirus firms that could block the campaign if detected.
But if not present, it will carry out the exploitation in a stealth mode, ultimately redirecting the user to the malicious page.
The Intensity of the Malvertising!
According to the researchers telemetry, these malicious Ads were delivered through two affiliate networks namely Adnxs, which has already resolved the issue, and Taggify, which has not paid any attention to the seriousness of the problem.
Two more expired media-related domains exhibiting the same characteristics as brentsmedia[.]com: "envangmedia[.]com" and "markets.shangjiamedia[.]com", shows that another similarly named domain has already been registered.
So there might be a possibility of hijacking "media" related branded domains for running malvertising campaigns, as a new generation threat to the global leaders.