A large number of popular websites are serving users malicious advertising which attempts to infect them with ransomware. The websites themselves are not serving malicious advertising, referred to as malvertising, instead several high profile advertising networks affiliated with the sites are the source. The websites affected include MSN.com, NYTimes.com, BBC.com, AOL.com, NFL.com, and The WeatherNetwork.com among others. Combined these sites receive over 2 billion visits a month.

While such malware campaigns evolve over time, the malicious ads were observed using the Angler Exploit Kit by Jérôme Segura of Malwarebytes. An exploit kit is a malicious program which detects vulnerabilities in a target computer. Such vulnerabilities are typically the result of outdated versions or unpatched vulnerabilities in popular programs such as Adobe Flash. If the user’s computer contains one or more of these vulnerabilities, the exploit kit selects the most effective malware and installs it on the user’s computer. In this case, the exploit kit is also targeting a recently patched vulnerability in Microsoft Silverlight, a plug-in for web browsers.

As reported by Trustwave's SpiderLabs blog, one of the malicious files being served by affected advertising networks contains a list of security programs and tools: “If the code doesn't find any of these programs, it continues with the flow and appends an iframe to the body of the html that leads to Angler EK landing page. Upon successful exploitation, Angler infects the poor victim.” Another notable aspect of this malvertising campaign is that the perpetrators scooped up recently abandoned domain names from media companies to look like legitimate customers to online advertising networks.

According to TrendMicro, “This campaign is targeting users in the United States and may have affected tens of thousands of users in the last 24 hours alone.” They also report that the Angler Exploit Kit is expanding its capabilities to target the Edge web browser on Windows 10. Users who want to protect themselves from such campaigns need to keep their software up to date, especially their operating system and web browser, uninstall superfluous browser plug-ins like Flash, use an ad-blocker, and install an up-to-date antivirus program.