This banner displayed on popular news websites directs users to a malicious page

Expired domains used by hackers to spread malware via popular sites

Hackers have found a new way of spreading malware into the computers of unsuspecting users by buying expired domains of advertising companies to insert fake malware-carrying ads into popular news and entertainment websites.

The practice, described by US information-security company Trustware in a blogpost published earlier this week, has affected a range of high-profile websites including the New York Times, Newsweek, BBC and AOL.

The malicious campaign used an expired domain of advertising company BrentsMedia to direct users to the so called Angler exploit kit and infect their computers with malware.

“In the past few days while going over the telemetry of our products we noticed that several high-profile sites were fetching a JSON file which is hosted on as part of their process for pulling advertising content from their ad providers,” Trustware wrote in the blogpost.

“This JSON file refers to a suspicious, heavily obfuscated JavaScript file with more than 12,000 lines of code. Our suspicions grew further when de-obfuscation of the script revealed that it tries to enumerate the following list of security products and tools in order to filter out security researchers and users with protections that would prevent exploitation.”

Essentially, what happens is that the user may accidentally or intentionally click on the fake advert, which directs them to the fake website. Every click on the website results in the user downloading the malware.

According to Trustware’s investigation, the probably legit BrentsMedia website expired on 1 January 2016 but was registered again by a different user two months later. Acquiring the domain allowed the hackers to generate lots of traffic from websites that publish ads either directly or as affiliates of other ad networks, the researchers said.

"To be clear, this is impacting ads from third parties that are beyond our control," New York Times spokesman Jordan Cohen told Reuters, adding that the firm was investigating the attack.

The researchers have found further expired websites performing the same trick - and

“If one was to take a wild guess, one might think that they [the attackers] actually are watching for any domains containing the word ‘media’ that have recently expired,” Trustware wrote.

“Whether or not this will turn into a new trend, it's certainly an interesting development in the world of malvertising, once again reminding us how difficult it is for both end-users and ad networks to deal with this threat.”

The Angler exploit kit, first discovered in late 2013, is currently the most widely used exploit kit known to researchers. Notorious for its ability to constantly innovate, as well as evade detection by security products, Angler is being used to infect victims’ computers with Bedep trojan and the TeslaCrypt ransomware.

The researchers said they did not know who was behind the attack, which could be perpetrated either directly by the Angler team or by an affiliated third party criminal.

Sign up to the E&T News e-mail to get great stories like this delivered to your inbox every day.

Recent articles