Cyber Criminals Hijack BBC, MSN and NYT Website To Serve Malicious Ads

Mainstream Websites including AOL, BBC and The New York Times Become Targets of Malvertising

A number of popular, high-profile websites have become targets of an extensive malvertising campaign. The websites attacked include many big names such as MSN, AOL, BBC, and The New York Times. Remember, this is not the first time for MSN to serve malicious adverts. In January 2015, the portal was dropping malware user PCs as part of a sophisticated malvertising campaign.


Malwarebytes reported that the malicious ads appeared out of nowhere and suddenly all the big publishing house websites got hit by it. The list of websites is pretty long as it included,,,, and, etc., apart from the ones mentioned above.

This new wave of malvertising campaign involves installation of crypto-ransomware along with other malware through adverts on these websites. When users visit these sites, the malware easily gets transferred onto the users’ computer system.

Through such tainted ads, computers of hundreds and thousands of internet users have become affected. The malvertising campaign was identified by security firm Trend Micro and the details were revealed in its official blog post.

How it all started?

This campaign started off previous week with laced banner ads being pushed via an infected ad network and spread through Angler toolkit, Microsoft Silverlight and similar commonly used software.


Trustwave’s SpiderLabs group also published a blog post in which it was revealed that a JSON-based file is being distributed through these tainted ads. The file contains around 12,000 lines of code. When deciphered by security researchers, it was discovered that this obfuscated code enumerated a wide range of security tools and protocols, which it can avoid to remain unidentified.

According to Dabiel Chechik, Rami Kogan and Simon Kenin from SpiderLabs: “If the code doesn’t find any of these programs, it continues with the flow and appends an iframe to the body of the HTML that leads to Angler EK landing page. Upon successful exploitation, Angler infects the poor victim with both the Bedep trojan and the TeslaCrypt ransomware–double the trouble.”

The infected ads aren’t only appearing on publishers or news websites but also on sites like and

The domains from which these ads are being launched are associated with infected ad networks such as the most commonly appearing domain name is brentsmediacom. trackmytraffic, biz and talk915com, evangmediacom and shangjiamediacom.

It is being speculated by researchers that the attackers are making use of domain names that contain the term Media to make their infected domains appear as legitimate.

How to stay protected?

This campaign, however, highlights the important role that smart browsing plays in preserving our privacy and security while surfing the web. To avoid being exploited by malicious actors, security experts urge users to decrease their “attack surface,” which refers to uninstalling software like Oracle Java, Adobe Flash, Microsoft Silverlight, etc. In fact, users must delete all kinds of third party browser extensions that are unnecessary. Moreover, to ensure safe browsing, users must immediately install updates using the 64-bit Chrome version.

Related Posts