Compromised ad servers have been pushing out ransomware directly to unwitting users of many popular domains. As reported by Ars Technica (via MalwareBytes and others), whose story is heavily referenced here, the domain list contains a number of high traffic sites.

"It hit some of the biggest publishers in the business, including msn (.com), nytimes (.com), bbc (.com), aol (.com), my.xfinity (.com), nfl (.com), realtor (.com), theweathernetwork (.com), thehill (.com), and newsweek (.com). Affected networks included those owned by Google, AppNexis, AOL, and Rubicon."

(Image credit: Ars Technica)

Unfortunately, the story doesn't get better from here. The Ars report continues:

"The ads are also spreading on sites including answers (.com), zerohedge (.com), and infolinks (.com), according to SpiderLabs. Legitimate mainstream sites receive the malware from domain names that are associated with compromised ad networks. The most widely seen domain name in the current campaign is brentsmedia (.com)."

The ads have been traced back to multiple domains, including: trackmytraffic (.biz), talk915 (.pw), evangmedia (.com), and shangjiamedia (.com). The report continues:

"The SpiderLabs researchers speculate the people pushing the bad ads are on the lookout for expired domains containing the word "media" to capitalize on the reputation they may enjoy as a legitimate address."

The full article from Ars technica can be found here as well as the source link, and the cited Malware Bytes post can be found here.

So how did they do it? The banner ads themselves contained the malware, which could infect the viewers system undetected.

"When researchers deciphered the code, they discovered it enumerated a long list of security products and tools it avoided in an attempt to remain undetected.
'If the code doesn't find any of these programs, it continues with the flow and appends an iframe to the body of the html that leads to Angler EK [exploit kit] landing page,' SpiderLabs researchers Daniel Chechik, Simon Kenin, and Rami Kogan wrote. 'Upon successful exploitation, Angler infects the poor victim with both the Bedep trojan and the TeslaCrypt ransomware…' "

Of course it goes without saying that advertising online is a sticky issue. It can be intrusive, with ads blocking article text, or autoplay videos creating a cacophony of unwanted noise, somewhere amidst the many open tabs. Of course it can be done with class, respectful of the reader's experience (and I would use our own site as an example).

A large number of web users employ ad-blocking extensions to their browser, though it is often the case that ad revenue pays for the costs associated with keeping such sites online. This outbreak is a further blow to the current financial stability of many sites when news such as today's ransomware debacle hits the tech (and soon the mainstream) press.