Malvertising Exposes Millions of Site Visitors at, NYTimes and More

Several high-profile media sites, including the New York Times, the BBC, MSN and AOL, are falling victim to a new rash of malicious ads that attempt to surreptitiously inflict malware on unsuspecting site visitors.

According to Malwarebytes, other infected sites in what is almost certainly a coordinated attack include the Comcast outpost My.Xfinity,, Realtor, TheWeatherNetwork, Newsweek and thehill.

“It remains to be seen how many individuals have been impacted,” the company said by email. “At least five of the largest websites attacked have well over 100 million visitors a month.” And that means that the campaign has likely exposed tens of thousands of people over the past 24 hours alone, installing mainly crypto ransomware.

Malvertising occurs when cyber-criminals create ads which are perceived as legitimate but actually spread malware by hiding a small piece of code deep in the script. Thus, when a surfer clicks on it, the victim’s computer is connected to criminal servers rather than to the legitimate advertiser that it purports to be, and the malware is downloaded—usually with the victim being none the wiser.

“Clearly cyber-criminals are targeting high-traffic sites to try to encourage a larger number of clicks, and consumers are probably more likely to trust ads which are displayed on well-known, trusted websites,” said Malcolm Murphy, systems engineering manager, Infoblox, via email. “Meanwhile, the malware itself continues to grow in sophistication, often exploiting an organization’s domain name system, or DNS, as a pathway to connect to a malicious destination or botnet.”

Malvertising is an increasingly popular attack vector, since it’s relatively easy to execute. Recent research from RiskIQ revealed that malvertising jumped up over 300 percent year on year between 2014 and 2015, following a string exploitations of major publishing sites such as, Huffington Post and The Daily Mail. The most common lure used in malvertisements to date has been fake Flash updates—most notably, this was exploited across the Yahoo ad network.

“Once again a major ad network has been abused by hackers in order to carry out a malvertising attack and this is concerning for all those involved, particularly the publishers who were affected including BBC, New York Times, Newsweek and MSN,” said Ben Harknett, VP EMEA, RiskIQ, in an emailed comment. “Unfortunately using malvertising as a method of covertly spreading malware is only growing in popularity.”

It’s also a great way to expose thousands of people to the exceedingly lucrative ransomware scourge, all at once. The latest Intel Security Threats Report revealed that ransomware shot up by 127% in the past year alone. By using potentially harmful ads to persuade unsuspecting users to click on links and install ransomware, criminals are extending their victim base and accessing vast amounts of information.

“Ransomware services are surprisingly easy to find online at very low cost, enabling even the most amateur criminals to attack businesses—and, in this case, individuals—and access huge quantities of data,” said Raj Samani, CTO for Intel Security EMEA. “Criminals are well aware of the huge potential for financial gain when launching ransomware attacks: one group we tracked made over £49,000 in just ten weeks by attacking organizations in this way.”

The good news is that this latest campaign actively avoids systems with common security software installed, and the malware itself requires vulnerable versions of software to exploit.

“Concerned consumers should take note that the prescription for avoiding these malware infections is basic security hygiene,” said Tim Erlin, director of IT security and risk strategy for Tripwire. “Installing security updates can protect you.”

As for webmasters, “organizations should be making DNS security a top priority,” Harknett said. “In reality though, DNS servers are often neglected, leaving organizations open to these types of attacks. Reliable threat intelligence will also enable organizations to disrupt malware as it communicates through the DNS, protecting customers from malvertising in the process.”

Photo © Goran Bogicevic/

What’s Hot on Infosecurity Magazine?