Update 08/14: The campaign has moved to another advertiser (AOL) and new Azure domain:

ebayadvertisement

Malvertising URL:

imp.bid.ace.advertising.com/{redacted}pmcpmprice=0.545/{redacted}dref=http://www.ebay.com/sch/i.html?_nkw=jazzy+wheelchair+battery&_pgn=3&_skc=100&rt=nc

First redirection (Azure website):

v5tr34-a09.azurewebsites.net/?=a09vv5vtrkp

Second redirection:

mbiscotti.com/?Xz29TuVbablQc

Angler exploit kit:

abgzdbergzr.jeppe.iemooentypo.com/{redacted}
abgzdbergzr.le9.anguoanti-malware.net/abgzdbergzr/{redacted}

Our telemetry captured this malvertising on eBay.com and the cost per thousand impressions (CPM) for this ad was $0.545. Visitors that were served that ad were redirected to the Angler exploit, known for dropping ransomware and ad fraud malware.

– – Original story —

The actors behind the recent Yahoo! malvertising attack are still very much active and able to infect people who browse popular websites.

We have been tracking this campaign and noticed that is has recently moved to a new ad network used by many top publishers.

  • weather.com 121M visits per month
  • drudgereport.com 61.8M visits per month
  • wunderground.com 49.9M visits per month
  • findagrave.com 6M visits per month
  • webmaila.juno.com 3.6M visits per month
  • my.netzero.net 3.2M visits per month
  • sltrib.com 1.8M visits per month

Stats according to SimilarWeb.com

The malvertising is loaded via AdSpirit.de and includes a redirection to an Azure website. Note how both URLs are using HTTPS encryption, making it harder to detect the malicious traffic at the network layer.

malvertising

Redirection chain

  1. Publisher’s website
  2. https://pub.adspirit.de/adframe.php?pid=[redacted]
  3. https://pr2-35s.azurewebsites.net/?=pr2-35s-981ef52345
  4. abcmenorca.net/?xvQtdNvLGcvSehsbLCdz
  5. Angler Exploit Kit

MBAE
Malwarebytes Anti-Exploit users were protected against this attack.

We informed the ad network and although they did not immediately get back to us, the rogue advert was taken down.