A new malvertising network is affecting Windows and Mac users visiting high-traffic locations, such as youtube.com and amazon.com.
Called “Kyle and Stan,” the name of the ad network comes from the naming scheme used by the attackers. Researchers from Cisco’s Talos Security Research found hundreds of websites included “kyle” and “stan” in sub-domain strings.
The malvertising functions where an attacker is able to insert their malcrafted ad in the stream of an online advertising network which then distributes it to different websites.
When the victim clicks on an ad, they go to another site, where malware ends up served and the user installs it via social engineering.
In the case of “Kyle and Stan,” there are multiple variations, but they all follow the same pattern where the redirect to the payload based on the user agent of the visitor’s web browser.
“We observed that Windows and Mac users get redirected to different malware in order to infect both operating systems,” Armin Pelkmann, Talos threat researcher said in a blog post.
The type of threats the researchers found served to the victims range from adware and spyware to browser hijacking software, but other types of malware could end up used by the attackers.
Another interesting part is each victim gets a piece of malware with a unique configuration file, thus generating a single checksum, which makes the threat more difficult to detect.
After analyzing some samples, the researchers noticed the malware droppers also relied on encryption to obtain a different checksum for each threat.
According to telemetry data, more than 700 websites suffered from the bad ads, which gives the bad guys access to a large pool of potential victims.
Pelkmann said apart from YouTube and Amazon websites, the attackers managed to insert their advertisements on ads.yahoo.com, winrar.com, as well as javaapx.com, javaupdating.com and grooveshark.audio-updates.com.