Malicious advertisements have been found hiding on the domains of major websites like Amazon, YouTube and Yahoo, Cisco announced this week. The malvertisements are part of a scheme to quickly spread malware to numerous victims, the company said.
The network of fraudulent ads was nicknamed “Kyle and Stan” by researchers, as the names were found within the subdomains of hundreds of sites where the malware was lurking. The company first identified the malvertising network in May, but Cisco researcher Armin Pelkmann said in a blog post that more people have been compromised since then.
According to Pelkmann, when a victim clicks on a malicious ad they are redirected to a prompt that downloads malware with a unique checksum on their device, making it much more difficult to detect by antivirus software. He added that the software downloaded may also include legitimate aspects to make it that much more surreptitious. A target must click on the ad to initiate the malware download, however.
“The attackers are purely relying on social engineering techniques in order to get the user to install the software package,” Pelkmann wrote. “No drive-by exploits are being used thus far.”
Malware could potentially reach millions
Cisco researchers believe the cybercriminals behind Kyle and Stan are using a malvertising network on popular websites in order to access the enormous reach of the ads on those pages, enabling them to potentially connect with millions of people.
“If an attacker can get one of those major advertisement networks to display an advertisement with a malicious payload just for a few minutes without being detected, then countless machines can be infected by such an attack,” said Pelkmann.
Nearly 10,000 people have connected with the network since Cisco started investigating its actions, but the cybercriminals have only targeted a small portion of the firms that supply online ads. Were the network to go after more of the companies, an even larger number of people could be affected.
One of the most dangerous aspects of Kyle and Stan is that it is so difficult to detect with common security techniques. When traditional antivirus programs aren’t enough, a security information and event management service can help to fill in the gaps. Concierge SIEM solutions constantly monitor enterprise systems and analyze network activity to provide information that can be used in an actionable way to defend against cyberthreats. While in-house IT professionals can’t always keep their eye on enterprise systems, SIEM services look for activity around the clock so no nefarious behavior or security incident will go unnoticed.