Malicious Ads Hit Amazon, YouTube and Yahoo According to Cisco

In a new blog post, Cisco is describing the Malvertising Network dubbed Kyle and Stan. The network is targeting both Windows and Mac devices alike, with the old trick of sneaking malware into advertising. There are only a few big advertising players on the market, so if you manage to sneak a malicious ad past the security controls, it will reach thousands, maybe even millions of potential victims within minutes.

Talos Security Research has uncovered a major network that is doing exactly this and due to the naming scheme of hundreds of their sub-domains e.g. “stan.mxp2099.com” and “kyle.mxp2038.com” , they nicknamed the malvertising group Kyle and Stan. There are a lot of variations in the attack, but it always follows the same scheme. When served with the malicious advertisement you get redirected to a different website based upon your system, Windows or Mac, where it starts to download a malicious file.

Once the victim is redirected to the final URL, the website automatically starts a download of a unique piece of malware for every user. The file is a bundle of legitimate software, like a media-player, and a unique-to-every-user configuration of malware compiled into the downloaded file. The attackers are purely relying on social engineering techniques, in order to get the user to install the software package.

No drive-by exploits are being used thus far, but the impressive thing is that we are seeing this technique not only work for Windows, but for Mac operating systems alike.

The first hits are going back to the beginning of may with June and July being the ones with the biggest amount of traffic on the 74 sites the malvertising was detected on. The network consists of over 700 domains itself, making it hard for blacklists and other detection tools to pick up on it.

The list below are confirmed domains to have served the malicious ads at one point or another during the monitored time. The list contains popular sites such as Amazon, Yahoo, Winrar and YouTube.

• 6nbzz.watch-now.awardcrowd.eu
• 7ruzz.globalrewards.samplestation.eu
• ads.yahoo.com
• amazon.com
• br5zz.watch-now.awardcrowd.eu
• bvp.burstmedia.com
• cdn.sharedaddomain.com
• clkmon.com
• cr2.gogorithm.com
• grooveshark.audio-updates.com
• gslbeacon.lijit.com
• javaapx.com
• javaupdating.com
• johzz.watchnow.rewardbasket.eu
• jvupdater.com
• n11.adshostnet.com
• serve.adsxgm.com
• w0tzz.watchnow.rewardbasket.eu
• www.alldldsoft.com
• www.allsoftdll.com
• www.allsoftpc.com
• www.carefulclick.com
• www.ddlsoftdirect.com
• www.directdls.com
• www.directsoftddl.com
• www.dllfinalsoft.com
• www.dllsoftultimate.com
• www.dllultimatesoft.com
• www.dlsofteclipse.com
• www.downti.com
• www.dwnllistsoft.com
• www.dwnlsoft.com
• www.dwnlultimatesoft.com
• www.filenaut.com
• www.filenetix.com
• www.files101.com
• www.filesbunker.com
• www.filesonar.com
• www.freeunlimitedvideos.com
• www.getmplayer.com
• www.getsoftdll.com
• www.installrecommended.com
• www.latestplayerplugin.com
• www.lpdownclsva007.com
• www.lpdownclsva011.com
• www.mediaplayerinstaller.com
• www.mediaplayertotal.com
• www.moresoftdll.com
• www.mysoftdll.com
• www.newboxdl.com
• www.newplayerupdate.com
• www.pcsoftultimate.com
• www.pitisoft.com
• www.popdls.com
• www.proplayersetup.com
• www.recommendedfiles1.com
• www.recommendedupdate.com
• www.recommendedupdate14.com
• www.softmediaplayer.com
• www.softnewdll.com
• www.softplayerdownload.com
• www.softultimatedwnl.com
• www.thelatestsoft.com
• www.thesoftdll.com
• www.totalsoftdll.com
• www.totalsoftpc.com
• www.ultimateplayersetup.com
• www.ultimatevideoplayer.com
• www.updatedrelease.com
• www.updateneeded.com
• www.winrar.com
• www1.mediaplayernew.com
• www1.updateplugins.com
• youtube.com

Thank you Cisco for providing us with this information.

Images courtesy of Cisco and Southpark.