Attackers are using Flash exploits and foisting ransomware through real time advertising bidding networks, FireEye researchers say.
The attacks link to malicious or compromised advertising sites which participate in real time bidding systems in which ad inventory is sold to and by publishers.
More than 1700 malicious advertising requests have been detected that led to malicious .swf Flash files being downloaded over hundreds of unnamed sites.
"We believe this activity is part of an active malvertising operation," FireEye Labs researchers say in an advisory.
"These ads can come from ad servers that are part of a legitimate ad network or rogue ad servers controlled by attackers."
The attacks target a vulnerability (CVE-2014-0569) patched October last year affecting Adobe Flash and Air which was integrated quickly into exploit kits including the popular Angler.
Damage to victims varied; FireEye bods say attackers foisted both the dangerous Cryptowall ransomware and what appear to be benign Windows files.
Two .swf files are loaded and load the exploit then throw up an unrelated advertisement which varied across attacks. Researchers probing deeper discovered the studied advertising sites used a tool dubbed 'F**k AdBlock' designed to detect 'nasty' ad blockers across popular web browsers.
URLs involved in the advertising network revealed the bid pricing, impressions, and information on operating systems and web browsers.
Malvertising is a popular method for infecting web users. Last month some 1800 subdomains linked to GoDaddy accounts were found spreading the Angler exploit kit using a then Flash zero day exploit in a surreptitious malvertising campaign. ®