Malvertising campaigns at multiple ad networks lead to Black Hole Exploit Kit

Summary:Security researchers from Trusteer have detected several malvertising campaigns, affecting multiple ad networks, which attempt to serve client-side exploits, ultimately dropping malware through the Black Hole Exploit Kit.

Security researchers from Trusteer have detected several malvertising campaigns affecting multiple ad networks, which attempt to serve client-side exploits, ultimately dropping malware through the Black Hole Exploit Kit.

According to the researchers:

About 9% of the exploits originated from Clicksor, but at least ten other ad networks were hosting similar malvertising campaigns, including:, Hooqy Media Advertiser,,,,, and

There are several ways for cybercriminals to take advantage of, if they want to reach the multi-million audience of these ad networks:

  • Socially engineering their way into the system through legitimate accounts - Just how easy is it to join an advertising network? Too easy, especially if you're a cybercriminal looking for ways to reach the audience of legitimate and high-trafficked Web properties. It has happened before, and it will happen again. For instance, in 2009, Gawker Media was tricked into featuring malicious Suzuki ads, which in reality attempted to exploit client-side vulnerabilities on the visitor's host. On the majority of occasions, cybercriminals would establish a bogus online identity for their company/product/service in an attempt to bypass the ad network's security practices -- if any -- and would later on reveal their true malicious nature, by abusing the access to the audience that they've gained.
  • By compromising legitimate advertiser accounts and using their trusted network reputation for malicious purposes - this is perhaps the most effective and efficient way that cybercriminals can take advantage of, if they were to target the audience of high-trafficked and legitimate Web sites. By gaining access to trusted advertisers within an ad network, they can easily abuse this reputation, by simply changing the URLS to their malware and exploits serving campaigns. How would they do that? By data mining a botnet's "infected population" for any kind of accounting data that they can steal and later on abuse.

Go through related posts:

Users are advised to ensure that they're running the latest version of their third-party software and browser plugins, in an attempt to mitigate the risks posed by the exploitation of outdated and already patched client-side vulnerabilities - the primary exploitation vector of the cybercrime ecosystem in general.

What do you think - How trusted are high profile "trusted" Web sites these days?


Find out more about Dancho Danchev at his LinkedIn profile.

Topics: Security


Dancho Danchev is an independent security consultant and cyber threats analyst, with extensive experience in open source intelligence gathering, and cybercrime incident response. He's been an active security blogger since 2007, and maintains a popular security blog sharing real-time threats intelligence data with the rest of the community... Full Bio

zdnet_core.socialButton.googleLabel Contact Disclosure

Kick off your day with ZDNet's daily email newsletter. It's the freshest tech news and opinion, served hot. Get it.

Related Stories

The best of ZDNet, delivered

You have been successfully signed up. To sign up for more newsletters or to manage your account, visit the Newsletter Subscription Center.
Subscription failed.