Posted: August 13, 2015 by

Last updated:

The Angler exploit kit is served to visitors to top websites via the SSL malvertising campaign.

Update 08/14: The campaign has moved to another advertiser (AOL) and new Azure domain:

Malvertising URL:

imp.bid.ace.advertising.com/{redacted}pmcpmprice=0.545/{redacted}dref=http://www.ebay.com/sch/i.html?_nkw=jazzy+wheelchair+battery&_pgn=3&_skc=100&rt=nc

First redirection (Azure website):

v5tr34-a09.azurewebsites.net/?=a09vv5vtrkp

Second redirection:

mbiscotti.com/?Xz29TuVbablQc

Angler exploit kit:

abgzdbergzr.jeppe.iemooentypo.com/{redacted} abgzdbergzr.le9.anguoanti-malware.net/abgzdbergzr/{redacted}

Our telemetry captured this malvertising on eBay.com and the cost per thousand impressions (CPM) for this ad was $0.545. Visitors that were served that ad were redirected to the Angler exploit, known for dropping ransomware and ad fraud malware.

– – Original story —

The actors behind the recent Yahoo! malvertising attack are still very much active and able to infect people who browse popular websites.

We have been tracking this campaign and noticed that is has recently moved to a new ad network used by many top publishers.

weather.com 121M visits per month

121M visits per month drudgereport.com 61.8M visits per month

61.8M visits per month wunderground.com 49.9M visits per month

49.9M visits per month findagrave.com 6M visits per month

6M visits per month webmaila.juno.com 3.6M visits per month

3.6M visits per month my.netzero.net 3.2M visits per month

3.2M visits per month sltrib.com 1.8M visits per month

Stats according to SimilarWeb.com

The malvertising is loaded via AdSpirit.de and includes a redirection to an Azure website. Note how both URLs are using HTTPS encryption, making it harder to detect the malicious traffic at the network layer.

Redirection chain

Publisher’s website https://pub.adspirit.de/adframe.php?pid=[redacted] https://pr2-35s.azurewebsites.net/?=pr2-35s-981ef52345 abcmenorca.net/?xvQtdNvLGcvSehsbLCdz Angler Exploit Kit



Malwarebytes Anti-Exploit users were protected against this attack.

We informed the ad network and although they did not immediately get back to us, the rogue advert was taken down.