Expired domains used by hackers to spread malware via popular sites

17 March 2016
By Tereza Pultarova
Mobile version
Share |
This banner displayed on popular news websites directs users to a malicious page

This banner displayed on popular news websites directs users to a malicious page

Hackers have found a new way of spreading malware into the computers of unsuspecting users by buying expired domains of advertising companies to insert fake malware-carrying ads into popular news and entertainment websites.

The practice, described by US information-security company Trustware in a blogpost published earlier this week, has affected a range of high-profile websites including the New York Times, Newsweek, BBC and AOL.

The malicious campaign used an expired domain of advertising company BrentsMedia to direct users to the so called Angler exploit kit and infect their computers with malware.

“In the past few days while going over the telemetry of our products we noticed that several high-profile sites were fetching a JSON file which is hosted on brentsmedia.com as part of their process for pulling advertising content from their ad providers,” Trustware wrote in the blogpost.

“This JSON file refers to a suspicious, heavily obfuscated JavaScript file with more than 12,000 lines of code. Our suspicions grew further when de-obfuscation of the script revealed that it tries to enumerate the following list of security products and tools in order to filter out security researchers and users with protections that would prevent exploitation.”

Essentially, what happens is that the user may accidentally or intentionally click on the fake advert, which directs them to the fake website. Every click on the website results in the user downloading the malware.

According to Trustware’s investigation, the probably legit BrentsMedia website expired on 1 January 2016 but was registered again by a different user two months later. Acquiring the domain allowed the hackers to generate lots of traffic from websites that publish ads either directly or as affiliates of other ad networks, the researchers said.

"To be clear, this is impacting ads from third parties that are beyond our control," New York Times spokesman Jordan Cohen told Reuters, adding that the firm was investigating the attack.

The researchers have found further expired websites performing the same trick - envangmedia.com and markets.shangjiamedia.com.

“If one was to take a wild guess, one might think that they [the attackers] actually are watching for any domains containing the word ‘media’ that have recently expired,” Trustware wrote.

“Whether or not this will turn into a new trend, it's certainly an interesting development in the world of malvertising, once again reminding us how difficult it is for both end-users and ad networks to deal with this threat.”

The Angler exploit kit, first discovered in late 2013, is currently the most widely used exploit kit known to researchers. Notorious for its ability to constantly innovate, as well as evade detection by security products, Angler is being used to infect victims’ computers with Bedep trojan and the TeslaCrypt ransomware.

The researchers said they did not know who was behind the attack, which could be perpetrated either directly by the Angler team or by an affiliated third party criminal.

Latest Issue

E&T cover image 1607

"As the dust settles after the referendum result, we consider what happens next. We also look forward to an international summer of sport."

E&T jobs

  • Control System Engineer

    United Utilities
    • Lancaster, Lancashire
    • Up to £33415 + Comprehensive Benefits

    Provide ICA maintenance and engineering support to the Water & Wastewater Production

    • Recruiter: United Utilities

    Apply for this job

  • Signal Processing Engineer

    B&W Group
    • Steyning, West Sussex
    • Competitive Salary

    We are looking for a Signal Processing Engineer to support the R&D process on active loudspeaker products.

    • Recruiter: B&W Group

    Apply for this job

  • Principal Mechanical & Electrical Engineer

    De Montfort University
    • Leicestershire
    • Grade G: £36,672 - £46,414 per annum

    Join the Projects Team to develop and manage medium to large projects on the university estate.

    • Recruiter: De Montfort University

    Apply for this job

  • Advanced Commissioning Engineer

    National Grid
    • Nottinghamshire, Nottingham, England
    • £46000 - £57000 per year

    National Grid is at the heart of energy in the UK. The electricity we provide gets the nation to work, powers schools and lights everyone's way home. Our energy network connects the nation, so it's essential that it's continually evolving, advancing and i

    • Recruiter: National Grid

    Apply for this job

  • Electrical Design Engineer

    Oxford Instruments
    • Yatton, Bristol
    • Competitive salary plus excellent benefits

    We are looking for an electrical designer to join our engineering design team.

    • Recruiter: Oxford Instruments

    Apply for this job

  • Skilled Electrical Fitter

    • Bolton
    • Competitive Salary & Benefits

    What?s the opportunity?   The Electrical Fitter will carry out manufacturing and test tasks within the electrical department in accordance with product certification procedures, defined workmanship  ...

    • Recruiter: MBDA

    Apply for this job

  • Electrical Manufacturing Technician

    • Stevenage
    • Competitive Salary & Benefits

    What?s the opportunity?   As a qualified craftsman with experience in electrical manufacturing, the Manufacturing Technician will report to a Team Leader, receiving day to day ...

    • Recruiter: MBDA

    Apply for this job

  • Consultant Engineer (Electrical Power)

    BAE Systems
    • Cumbria, Barrow-In-Furness, England
    • Negotiable

    Consultant Engineer (Electrical Power) Would you like to play a key role in providing technical direction to the design of power systems on the Successor class submarines, which will replace the current Trident-equipped Vanguard class, currently in servic

    • Recruiter: BAE Systems

    Apply for this job

  • Supply Restoration Team Manager (HV/SAP)

    • Oxford, Oxfordshire
    • Salary: £37,588 to £49,645 + Car (SSE8) Depending on skills and experience

    SSE is looking to recruit a Supply Restoration Team Manager to join our existing team in Oxford.

    • Recruiter: SSE

    Apply for this job

  • Electrical Technical Lead - Global Operations, Engineering & Laboratory

    Pfizer Ltd
    • Kent

    An exciting opportunity has arisen to join a dynamic team of professional engineers, supporting the development of novel drugs.

    • Recruiter: Pfizer Ltd

    Apply for this job

More jobs ▶


Choose the way you would like to access the latest news and developments in your field.

Subscribe to E&T