Expired domains used by hackers to spread malware via popular sites

17 March 2016
By Tereza Pultarova
Mobile version
Share |
This banner displayed on popular news websites directs users to a malicious page

This banner displayed on popular news websites directs users to a malicious page

Hackers have found a new way of spreading malware into the computers of unsuspecting users by buying expired domains of advertising companies to insert fake malware-carrying ads into popular news and entertainment websites.

The practice, described by US information-security company Trustware in a blogpost published earlier this week, has affected a range of high-profile websites including the New York Times, Newsweek, BBC and AOL.

The malicious campaign used an expired domain of advertising company BrentsMedia to direct users to the so called Angler exploit kit and infect their computers with malware.

“In the past few days while going over the telemetry of our products we noticed that several high-profile sites were fetching a JSON file which is hosted on brentsmedia.com as part of their process for pulling advertising content from their ad providers,” Trustware wrote in the blogpost.

“This JSON file refers to a suspicious, heavily obfuscated JavaScript file with more than 12,000 lines of code. Our suspicions grew further when de-obfuscation of the script revealed that it tries to enumerate the following list of security products and tools in order to filter out security researchers and users with protections that would prevent exploitation.”

Essentially, what happens is that the user may accidentally or intentionally click on the fake advert, which directs them to the fake website. Every click on the website results in the user downloading the malware.

According to Trustware’s investigation, the probably legit BrentsMedia website expired on 1 January 2016 but was registered again by a different user two months later. Acquiring the domain allowed the hackers to generate lots of traffic from websites that publish ads either directly or as affiliates of other ad networks, the researchers said.

"To be clear, this is impacting ads from third parties that are beyond our control," New York Times spokesman Jordan Cohen told Reuters, adding that the firm was investigating the attack.

The researchers have found further expired websites performing the same trick - envangmedia.com and markets.shangjiamedia.com.

“If one was to take a wild guess, one might think that they [the attackers] actually are watching for any domains containing the word ‘media’ that have recently expired,” Trustware wrote.

“Whether or not this will turn into a new trend, it's certainly an interesting development in the world of malvertising, once again reminding us how difficult it is for both end-users and ad networks to deal with this threat.”

The Angler exploit kit, first discovered in late 2013, is currently the most widely used exploit kit known to researchers. Notorious for its ability to constantly innovate, as well as evade detection by security products, Angler is being used to infect victims’ computers with Bedep trojan and the TeslaCrypt ransomware.

The researchers said they did not know who was behind the attack, which could be perpetrated either directly by the Angler team or by an affiliated third party criminal.

Latest Issue

E&T cover image 1607

"As the dust settles after the referendum result, we consider what happens next. We also look forward to an international summer of sport."

E&T jobs

  • Chair in Integrated Sensor Technology

    The University of Edinburgh
    • Edinburgh, City of Edinburgh

    The University of Edinburgh is one of the world’s top 20 institutions of higher education.....

    • Recruiter: The University of Edinburgh

    Apply for this job

  • Principal Electrical Engineer - Power

    BAE Systems
    • Bristol, England / Cumbria, Barrow-In-Furness, England
    • Negotiable

    Principal Electrical Engineer - Power Join our Electrical Power team and help design the self-contained generation and distribution system for the Successor submarine - a new generation of submarine designed to carry the UK's independent nuclear deterrent

    • Recruiter: BAE Systems

    Apply for this job

  • Operations Supervisor (Mechanical/Electrical/Instrumentation)

    National Grid
    • England, Cambridgeshire
    • £33000 - £39000 per annum

    Operations Supervisor - (Mechanical/Electrical/Instrumentation) Salary: Circa £33k - 39k dependant on experience + vehicle and great additional benefits (share scheme, pension, potential bonus).Location: Wisbech - Cambridgeshire We currently have an excit

    • Recruiter: National Grid

    Apply for this job

  • Lead NDT Trainer

    BAE Systems
    • England, Lancashire
    • Competitive package

    Would you like to be involved with training UK and international teams in Non Destructive Inspection (NDI) to support the in service fleet (Typhoon Tornado, and Hawk)?

    • Recruiter: BAE Systems

    Apply for this job

  • Systems Design - Emerging Portfolio

    • Bristol
    • Competitive Salary & Benefits

    What?s the opportunity?   There are fantastic opportunities in Systems Design for engineers to work within Future Systems. These are highly visible, fast paced roles, in...

    • Recruiter: MBDA

    Apply for this job

  • Metering Engineer

    Department for Business, Innovation and Skills
    • Teddington, United Kingdom
    • £24,109 - £27,961 plus EO Electronics PE of £8,090.00

    We are now looking for a Metering Engineer to deliver RD’s In-Service Testing (IST) scheme for gas and electricity meters.

    • Recruiter: Department for Business, Innovation and Skills

    Apply for this job

  • Head of Operational Estates

    Premium job

    The Shrewsbury and Telford Hospital NHS Trust
    • Shrewsbury, Shropshire
    • £46,625 to £57,640 per annum

    As an experienced Estates Manager, you will play a key role in helping to shape the future of the Estates service.

    • Recruiter: The Shrewsbury and Telford Hospital NHS Trust

    Apply for this job

  • Engineering Project Manager - Electrical & Automation

    • York, North Yorkshire
    • c£45,000 + Car Allowance + Bonus + Excellent Benefits

    Nestlé Product Technology Centre in York currently has an excellent opportunity for an Engineering Project Manager

    • Recruiter: Nestle

    Apply for this job

  • Assistant Professor (Tenure Track) of Smart Building Solutions

    Premium job

    ETH Zurich
    • Zurich, Canton of Zürich (CH)

    The successful candidate is expected to develop a strong and visible research programme in the area of control and diagnostics of building systems

    • Recruiter: ETH Zurich

    Apply for this job

  • Process Controls Leader

    Premium job

    Phillips 66
    • Humber Refinery, South Killingholme, North Lincolnshire DN40 3DW
    • £60k - 75k plus extensive Compensation and benefits package, dependent upon experience

    Experienced Process Control Leader providing leadership and technical support for Oil Refinery. Extensive Compensation and benefits package.

    • Recruiter: Phillips 66

    Apply for this job

More jobs ▶


Choose the way you would like to access the latest news and developments in your field.

Subscribe to E&T