Our website uses cookies

Cookies enable us to provide the best experience possible and help us understand how visitors use our website. By browsing Infosecurity Magazine, you agree to our use of cookies.

Okay, I understand Learn more

Yahoo, Amazon and YouTube Hit By Malvertising Campaign

Security experts are warning that Yahoo, YouTube and Amazon amongst others are serving up malicious ads to Windows and Mac users thanks to a newly discovered malvertising network.

The so-called 'Kyle and Stan' network was first detected back in May and has affected over 700 domains so far, although this is likely to be just “the tip of the iceberg”, Cisco researchers Shaun Hurley, David McDaniel and Armin Pelkmann wrote in a blog post.

When netizens visit a website infected with the malicious ads, they’re apparently redirected to another site based on what machine they’re using – Windows or Mac.

The final page automatically starts downloading malware.

“The file is a bundle of legitimate software, like a media-player, and compiles malware and a unique-to-every-user configuration into the downloaded file,” the researchers wrote.

“The attackers are purely relying on social engineering techniques, in order to get the user to install the software package. No drive-by exploits are being used thus far. The impressive thing is that we are seeing this technique not only work for Windows, but for Mac operating systems alike.”

Cisco said that the whole network could be automated, which means the malvertisers potentially have registered huge numbers of domains. So far they firm has noted 9,541 connections to malicious domains.

Infiltrating popular domains such as amazon.com, ads.yahoo.com, www.winrar.com and youtube.com has given the attackers the chance of infecting potentially millions of users.

So far, spyware, adware and browser hijackers have been detected, although the cybercriminal gang behind the network may also have other malware up its sleeve, Cisco said.

“The malware droppers employ clever techniques and encryption to always have unique checksums to avoid detection,” the researchers added.

“The large number of domains allows the attackers to use a certain domain just for a very short time, burn it and move on to use another one for future attacks. This helps avoiding reputation and blacklist based security solutions.”

What’s Hot on Infosecurity Magazine?