“Over the last week, from Tuesday august 19th until Friday august 22nd, the Security Operations Center of Fox-IT’s ProtACT service observed multiple high-profile websites redirecting their visitors to malware. These websites have not been compromised themselves, but are the victim of malvertising. This means an advertisement provider, providing its services to a small part of a website, serves malicious advertisement aimed at infecting visitors with malware.”  states the blog post.

“All the exploit kit hosts were observed using port 37702. Running exploit kits on high ports at best prevents certain network tools from logging the HTTP connections, as these are typically configured to monitor only HTTP ports,” Fox-IT said. “It does mean this exploit kit is blocked on a lot of corporate networks as they do not allow for browsing outside the normal HTTP ports, port 80 (or proxy ports) and 443 for SSL.” explained the researchers.

“The way it works is that a user with an interesting set of tracking cookies and other metadata for a certain adprovider is retargetted from the original advertisement content on the website to the modified or personalized data,” Fox-IT researchers said. “We have seen examples where the website that helped with the ad redirect to infect a user had no idea it was helping the delivery of certain content for a certain ad provider.

Malvertising campaigns are becoming even more sophisticated and insidious in the last years, the current malvertising schema are quite deceptive and noticeable only an the client side.

Pierluigi Paganini

(Security Affairs – malvertising, cybercrime)