DailyMotion served Angler exploit kit to visitors, over 128 million users placed at risk

The streaming site has been unwittingly delivering the Angler exploit kit to visitors thanks to a malvertising campaign.

Popular streaming website DailyMotion has become the latest victim of malicious ad networks and has delivered malware payloads to potentially millions of visitors.

The French video sharing and streaming website recently became a subject of interest to researchers at security firm Malwarebytes. In a blog post, the team said they have been tracking a malvertising campaign sent via .eu websites for several days, but were missing the final piece of the puzzle.

Now, the team have managed to reproduce a live infection via an advert hosted on DailyMotion, which holds the 98th position in Alexa's top 100 websites ranking. According to ComScore, the website caters for at least 128 million unique visitors per month.

As with many malvertising campaigns, the story begins at real-time bidding marketplaces for ad space. An advertiser bids for an ad space on a page, wins the bid and then is granted the ability to serve that ad to visitors.

Naturally, the more popular the site the higher the fee, but this also means that cybercriminals can make a fortune when they have a malicious ad placed on a legitimate website serving a trusting and wide audience.

In DailyMotion's case, a rogue advertiser secured an ad space through the WWWPromoter marketplace. A decoy ad was then placed on the video streaming site which initiated a series of redirections to .eu websites and ultimately the Angler exploit kit.

"The bogus advertiser is using a combination of SSL encryption, IP blacklisting and JavaScript obfuscation and only displays the malicious payload once per (genuine) victim," the Malwarebytes team says.

"In addition, Angler EK also fingerprints potential victims before launching its exploits to ensure the user is not a security researcher, honeypot or web crawler."


Malwarebytes quickly contacted the online media exchange platform used in the ad call, dubbed Atomx, which told the security firm the issue was coming from a malicious buyer on the WWPromoter, rather than the exchange platform itself.

It didn't take long for the issue to be resolved and the malicious ad to be pulled. The company said:

"This particular malvertising attack is one of a few campaigns we have been tracking which is much more sophisticated than the average incidents we encounter daily.

We can say that lately threat actors have really stepped up their game in terms of being very stealthy and making a particular ad call look benign when reproduced in a lab environment."

This case is a reminder that any legitimate website, such as Yahoo or the Daily Mail in the past, can become an attack vector. You can't fully trust any online source, and so it is more important than ever to keep systems up-to-date and patched to reduce the risk of infection.

Read on: Top picks