Kyle and Stan – A brand new malvertising network has been affecting Windows and Mac users who visit popular webpages such as amazon.com and youtube.com since May this year. The cybercriminals use Yahoo, Amazon and YouTube domains to infect users with adware, spyware and browser hijackers. To serve malware via online advertisements is a serious and persistent issue on the Web that assures that various malware is spread via advertising networks to the users of popular webpages.
The Nature of Kyle and Stan Malvertising Network
The malicious network has been given the name Kyle and Stan based on fact that the creators of the malvertising network included “kyle” and “stan” in hundreds of their subdomains. So far the network consists of more than 700 domains from 74 popular sites and has created 9 541 connections to potential victims. Because the domains used by the network have a distinct naming pattern, security researchers believe this is only the “tip of the iceberg.” Such pattern suggests that a large number of domains are automatically registered.
“The large number of domains allows the attackers to use a certain domain just for a very short time, burn it and move on to use another one for future attacks. This helps avoiding reputation and blacklist based security solutions. All in all we are facing a very robust and well-engineered malware delivery network that won’t be taken down until the minds behind this are identified,” explains Armin Pelkmann from Cisco’s Talos Security Research Team.
Custom Made and Individually Wrapped: A Unique Piece of Malware for Every User
Malvertising works in the following manner: the infected advertisement is inserted in the stream of an already active online ad network that delivers it to the different webpages. As soon as the user clicks no the ad, he is being redirected to another site where the user is lured into installing malware on his computer via social engineering tactics. This is also the infection pattern used by Kyle and Stan. Researchers report that Mac and Windows users are being redirected to different malware, so both OS get infected. So far the attackers use a variety of spyware, adware and browser hijackers, but other types of malware may also come in play in the future. The droppers used in this scheme rely on encryption in order to acquire a different checksum for every threat.
The people behind the malvertising network have not been identified so far. It has been active since May this year, with high activity registered in June and July.