Google's DoubleClick advertising network is the lifeblood of many websites driven by ad revenue—and it's also a potential path of attack for criminals trying to spread extortionware and other malware. Some Huffington Post readers fell victim to malicious advertisements spread through Google's DoubleClick network early this week, but another simultaneous attack may have reached an even bigger audience.
Two ad network merchants became an unwitting accomplice to attackers with similar Flash-based ads, displaying them on multiple legitimate sites. The Huffington Post advertisement—a fraudulent Hugo Boss ad which also appeared on other major legitimate sites (including the real estate site Zillow.com)—was spread through DoubleClick via the ad network AdButler, according to Malwarebytes, which tracked the attack. That attack attempted to download Cryptowall ransomware to victims' PCs.
The second attack came to DoubleClick through Merchanta, an ad network that serves up 28 billion advertisement impressions a month in the US alone. There is no estimate of how many people were exposed to the attack, but it likely cast a worldwide net and could have infected thousands of PCs with malware. Malwarebytes did not collect the malware payload of the Merchanta attack, but Malwarebytes Lab's Jérôme Segura wrote in a post on the attack that the Flash exploit used in both attacks was identical, using the same Flash exploit kit. "It is worth noting that this malicious SWF (Flash file) had zero detection on VirusTotal when it was first submitted," Segura said.