lastfm

Large malvertising campaign under way involving DoubleClick and Zedo

Earlier today, we warned people that both The Times of Israel and The Jerusalem Post were affected by a malvertising attack.

It appears that this is a much larger and ongoing campaign that is affecting a number of other popular websites.

The reason this is really big is because it involves doubleclick.net (a subsidiary of Google for online ads) and Zedo (a popular advertising agency).

workflow

The latest victim of this campaign is last.fm, the popular music streaming site:

lastfm

The malware payload distributed onto unsuspecting visitors was identified as Zemot by Microsoft in their MSRT for September  (click to enlarge):

zemot4

Looking at our logs we first detected this new attack pattern on August 30th, at 2 AM. These are the URLs we caught (posted on PasteBin).

What is important to remember is that legitimate websites entangled in this malvertising chain are not infected. The problem comes from the ad network agency itself.

We rarely see attacks on a large scale like this, so we highly recommend that people keep their systems up-to date, with current antivirus and anti-malware protection. Malwarebytes Anti-Exploit also detects and blocks these attacks without using any sort of signatures.

We will keep you updated as this is still developing.

@jeromesegura

Update (09/19/14 9:20 AM PT): It appears that the malicious redirection has stopped. Last activity was detected by our honeypots around midnight last night, and nothing else since then. We are still monitoring the situation and will update here if necessary.

ABOUT THE AUTHOR

Jérôme Segura

Principal Threat Researcher