A recent malvertising campaign shows that platforms that display ads, even when they are not necessarily the browser, are not immune to the attack.
An example of a popular non-browser application that shows ads is Skype. These images would be familiar to avid Skype users.
This did not really bother us much until last night, when we saw an unusual spike from our charts due to a malvertising campaign via the AppNexus ad platform (adnxs.com).
One of the platforms for infection that we observed was Skype. It was interesting to note that having the ad displayed in a platform external to the browser did not mean that the browser was no longer accessible and thus the user could no longer be affected.
http://ams1.ib.adnxs.com/if?e=wqT_3QLNBPBCRA[...]uAQA&s=1d86c6[...]&referrer=skype.com led to http://dwuplaszczyznowosc.checkcashingbridgeport.com/boards/index.php http://ams1.ib.adnxs.com/if?e=wqT_3QLVBPQAAU[...]uAQA&s=a9adea[...]&referrer=skype.com led to http://staraly1savage.bendovr.com/forums/viewtopic.php
This particular campaign ended up redirecting to the Angler exploit kit.
Typical browser visits were there, of course, which means that this attack was not targeted towards Skype users. For a user that used a browser, here’s an example of the infection chain that we have observed:
A machine infected with TeslaCrypt will display this message:
Other popular websites that redirected to adnxs.com were gaming-related sites (wowhead.com, gsn.com, zam.com, wikia.com), news sites (dailymail.co.uk) as well as internet portals like msn.com.
This campaign seemed to have ended quite fast. The good thing is, during the active campaign, our users are protected against this threat as we detect Angler as Exploit:JS/AnglerEK.D.