March 16, 2016 by

Malvertising Campaign Affects MSN, NY Times Among Others

A large number of major news websites have seen their advertisements hijacked by a malicious Angler campaign that installs malware ransomware on users’ computers, security researchers revealed.

Security researchers from security software and services firm Malwarebytes have revealed that a ransomware campaign has targeted a number of US users in recent times through major websites. They include the likes of the New York Times, AOL, NFL, MSN, Realtor, Newsweek, the Hill and Xfinity, among others.

The payload of the malware is delivered through multiple ad networks. The campaign used a number of varying vulnerabilities such as a recently-patched flaw discovered in Microsoft’s Flash competitor, Silverlight. The former Flash competitor has notably been discontinued in 2013. That hasn’t stopped ransomware authors from taking advantage of its vulnerabilities to use it to craft malware to this day.

Users are redirected to a page on servers hosting the malware when the infected adverts hits users. This redirect results in a victim’s exposure to the infamous Angler exploit kit, a malware used commonly among cybercriminals.

The Angler kit attempts to find any available backdoor on the targeted machine in order to install the cryptographically coded ransomware which then encrypts important media and files on the victim’s hard drive. The victim is powerless to regain access to the files until a ransom is paid, in bitcoin, for the decryption keys to unlock the encrypted files.

A blog post by Malwarebytes actually begins by stating that malvertising activity was on the decline over the past few weeks, according to the firm’s telemetry.

It added:

However, out of the blue on the weekend we witnessed a huge spike in malicious activity emanating out of two suspicious domains. Not only were there a lot of events, but they also included some very high profile publishers, which is something we haven’t seen in a while:

Publisher Traffic (monthly)* 1.3B 313.1M 290.6M 218.6M 102.8M 60.7M 51.1M 43M 31.4M 9.9M


Ransomware is among the most destructive and potent forms of malware, especially in recent times. When malware authors begin targeting popular domains which see billions of visitors as their platform for dispersing ransomware, it adds to the bleak outlook. Malwarebytes has notified several ad networks about the intrusion and one hopes that the malicious ads are quickly purged upon discovery.

 Image credit: Wikimedia.

About the author

Image of Author

LIFARS is the global leader in Digital Forensics and Cyber Resiliency Services. Our experience spans two decades working on high profile events, often in concert with Law Enforcement Agencies around the world. Our proprietary methodology derives directly and indirectly from our experience working with and for U.S. Intelligence Agencies, Interpol, Europol, and NATO. We are solely dedicated to Cyber Resiliency and thus pay close attention to all aspects of our clients’ engagements experience while providing a strategic and integrated array of services to minimum risk and disruption while protecting your brand.

Related articles

Yahoo, MSN Struck by Advanced Malvertising Campaign

 A treacherous malicious advertising campaign is making a comeback on major publishing websites...

Read more arrow_forward

Neutrino Exploit Kit Takes Over Distribution of CryptXXX Ransomware

Earlier this year, the malware authors behind the re-tweaked CryptXXX 3.1000 ransomware jumped from...

Read more arrow_forward