Malvertising Assault Targets DailyMotion

Security researchers have discovered another malvertising attack, this time affecting users of popular video sharing site DailyMotion.

Malwarebytes said it had been tracking an attack via ‘.eu sites’ for several days but could not find the final payload until it was able to replicate the attack on DailyMotion.

The attack was conducted through the Atomx ad network and made use of real time bidding to win impressions on the network through the WWWPromoter marketplace.

A malicious creative was displayed to users, who are vetted to make sure they are not a security researcher, honeypot or web crawler.

DailyMotion malvertising

This particular campaign attempted to load the Angler exploit kit – used in similar assaults such as the recent one on the Mail Online – and used a combination of SSL encryption, IP blacklisting and JavaScript Obfuscation techniques.

“We immediately contacted Atomx, the online media exchange platform used in the ad call, who informed us the issue was coming from WWPromoter and more specifically a malicious buyer (the rogue advertiser) on their network,” said Jerome Segura, senior security researcher at Malwarebytes.

“The incident was resolved very rapidly once the proper contacts were made and the problem isolated. For this, we would like to them all parties involved in taking such prompt action, therefore limiting the potential damage to innocent users.”

“This particular malvertising attack is one of a few campaigns we have been tracking which is much more sophisticated than the average incidents we encounter daily. We can say that lately threat actors have really stepped up their game in terms of being very stealthy and making a particular ad call look benign when reproduced in a lab environment.”

When ads attack

Segura added that the attack shows that even popular web destinations with recognised brands can be used to launch attacks. A number of malvertising assaults have targeted major porn sites, but Malwarebytes does not believe adult platforms are necessarily more susceptible.

“There’s this idea that adult sites are more dangerous to visit than “regular” sites,” Segura told TechWeekEurope earlier this year. “I don’t believe it’s entirely true especially for the top sites because they do dedicate a lot of resources to fighting fraud and malware. Based on what we have seen in the past months as far as malvertising goes, we have seen just as many top mainstream publishers as pornographic ones.”

A number of Malvertising attacks have affected users of dating websites, social networks and even Forbes.com, leading many to question the safety of online advertising – especially those running Flash. Google Chrome now pauses Flash adverts by default, while Amazon has blocked assets powered by the much-maligned software. Some have even turned to controversial ad-blockers to protect themselves against such attacks.

What do you know about Internet security? Find out with our quiz!