Cisco has spotted some big names serving up malicious advertising: YouTube, Amazon and Yahoo! among them.
A Borg blogger, Armin Pelkmann, with fellow-authors Shaun Hurley and David McDaniel, writes that what the company calls the “Kyle and Stan” malware campaign began in May, and uses redirects to try and trick users into downloading a new media player that ships malware in its payload.
The high-profile serving domains – along with many others – are, of course, receiving the “malvertising” from ad networks that have been tricked into hosting the attack content.
As well as the big three named above, the campaign has so far infected at least 71 other domains, the post states. The attackers check the user agent to work out whether a target is running a Windows or a Mac machine, and redirect them accordingly.
The aim is to get punters to download and install a file that's a “bundle of legitimate software, like a media-player”, with a “unique-to-every-user configuration” that gets compiled into the downloaded file.
There's no “drive-by” component to the attack, however: so far, the post notes, the attackers are relying on social engineering to trick users into the install.
All of the more than 700 attack domains the researchers have identified are hosted on Amazon, use privacy-protected registrations, and use the following naming scheme:
kyle.mxp(1-4 digits).com or stan.mxp(1-4 digits).com
By creating the user-unique configuration files, the attackers are trying to avoid detection by creating a different checksum for each download.
“All in all we are facing a very robust and well-engineered malware delivery network that won’t be taken down until the minds behind this are identified”, the post concludes. ®