Malicious adverts spreading malware managed to make their way onto popular French video streaming site Dailymotion. The infection involved a rogue ad and JavaScript that ultimately directs surfers to sites harbouring the Angler Exploit Kit (EK).

The practical upshot was that Windows users running out-of-date software, such as older versions of Adobe Flash, would be infected with either the Bedep trojan or ad fraud malware, or maybe both.

The attack was spotted by security software firm Malwarebytes, which reports that the bogus advertiser behind the attack took great pains to disguise its origin and purpose. It said:

This malvertising incident happened via real-time bidding (RTB) within the WWWPromoter marketplace. A decoy ad from a rogue advertiser initiates a series of redirections to .eu sites and ultimately loads the Angler exploit kit. The bogus advertiser is using a combination of SSL encryption, IP blacklisting and JavaScript obfuscation and only displays the malicious payload once per (genuine) victim. In addition, Angler EK also fingerprints potential victims before launching its exploits to ensure the user is not a security researcher, honeypot or web crawler.

Malwarebytes contacted Atomx, the online media exchange platform used in the ad call, which confirmed an issue and traced it back to a malicious buyer (the rogue advertiser) on its network. The attack was rapidly detected and neutralised once the culprit was identified.

Nonetheless, the incident serves to illustrate the ongoing problems posed by the abuse of legitimate ad networks by cybercriminals. These attack are becoming stealthier and harder to detect, Malwarebytes reports.

“Threat actors have really stepped up their game in terms of being very stealthy and making a particular ad call look benign when reproduced in a lab environment,” explains Jérôme Segura, a senior security researcher at Malwarebytes.

Updated

A spokeswoman at Dailymotion has contacted us with this statement:

"For as long as we have worked with TMT, Dailymotion has not been subject to any maladvertising attacks. TMT is aware of and has been on the look out for this particular type of malware since November.

We are currently conducting further investigations on the report of the [Malwarebytes'] blog with their cooperation and that of our advertising and security partners." ®