14 DAY TRIAL // Security researchers from web security vendor Armorize have spotted malicious ads on Google's DoubleClick network that lead to drive-by download exploits.
"In the past few days, our scanners noticed malvertising on Google DoubleClick. The malvertisement is being provided to DoubleClick by Adify (Now a part of Cox Digital Solutions), and to Adify by Pulpo Media, and to Pulpo Media by the malicious attackers pretending to be advertisers: indistic.com," the Armorize experts warn.
"The malvertisement causes visitor browsers to load exploits from kokojamba.cz.cc (the exploit domain), which is running the BlackHole exploit pack. Currently, 7 out of 44 vendors on VirusTotal can detect this malware," they add.
Malvertizing has become a common infector vector in recent years. Malware pushers use social engineering and impersonation to trick advertising networks to accept their ads, after which they start serving malicious code through them.
Many high-profile websites have been hit by malvertizing attacks, more recently Yahoo! Philippines, Spotify, Al Jazeera, Autotrader.co.uk, and others.
Attackers usually prefer to trick websites to run their ads directly instead of going through ad networks which have better trained personnel that do rigurous background checks.
However, every now and then ad networks do get hit, especially when trusted intermediaries are involved, like in this case.
Last December, Armorize identified a large-scale malvertizing attack that affected both Google's DoubleClick network and rad.msn.com, the server used by Microsoft to deliver ads on various sites, including Hotmail and MSN.
Malicious ads were traditionally used to promote fake antivirus programs, but have mutated in recent times to serve malicious code that exploits vulnerabilities in outdated applications.
The BlackHole toolkit used in this attack is currently the most popular drive-by download attack kit and contains exploits for vulnerabilities in Java, Flash Player, Adobe Reader and Windows.
In order to stay protected from such attacks, users are advised to keep their applications up to date and run an antivirus capable of scanning web traffic at all times.