Research from a newly formed security intelligence group at Cisco has revealed a large malvertising network that is impacting well-known domains, including Amazon, Yahoo and YouTube. The malvertising network has been named “Stan and Kyle” and is likely a reference to the popular Comedy Network cartoon “South Park.”
Malware-infected online advertising, typically referred to as malvertising, is an increasingly growing threat. In a malvertising attack, online ads are infected with some form of malware that redirects users to unintended locations, in many cases dropping malicious downloads in the process.
Armin Pelkmann, threat researcher in the Talos Security Intelligence and Research Group at Cisco, explained to eWEEK that when Talos first observed the malvertising attack, it found “Stan” and “Kyle” subdomains. Domains of that style make up more than a third of the total of domains found.
“So we can only assume that the attackers are fans of that show and used ‘South Park’ names for their scheme,” Pelkmann said.
Talos is a recently formed group within Cisco that consolidates several different prior research efforts. Pelkmann noted that the Talos Security Intelligence and Research Group is made up of leading threat researchers supported by sophisticated systems. Talos maintains the official rule sets of Snort.org, ClamAV, SenderBase.org and SpamCop.
“Talos’ renowned security experts are a combined team from Sourcefire’s Vulnerability Research Team, Cisco’s Threat Research and Communications (TRAC) and Cisco Security Applications group,” Pelkmann said. “The team’s expertise spans software development, reverse engineering, vulnerability triage, malware investigation and intelligence gathering.”
Stan and Kyle’s Neighborhood
According to the Talos research, there are now 6,491 malicious domains that are part of the Kyle and Stan malvertising network. What is not definitely known at this point is precisely how many malicious ads have been served by Kyle and Stan.
“Only the people running the exploited ad networks can with 100 percent accuracy answer this,” Pelkmann said.
Talos has shown that some of the biggest Websites on the Internet were abused by this attack, he added. Though an attack might only last for a few minutes before being detected and shut down, Pelkmann warned that the impact could potentially reach millions.
At the root of the Kyle and Stan malvertising attack is JavaScript code that is injected into an online advertisement that redirects users.
“You are surfing on a trusted Website—and, boom, without clicking on anything, you are on a malicious Website that offers you a malware download or starts the download for you already,” Pelkmann said. “And the attack is smart because it finds out what operating system and browser you are using to deliver you a piece of malware that will work on your platform.”
The Kyle and Stan malvertising effort is actually using legitimate advertisement networks that can be used to display information on the big sites of the Internet. The malicious ad takes the user from the safe place, through a number of redirects, to malicious Websites that are hosting the malware to infect the users.
At this point, there are some indications on possible attribution for who is behind the Kyle and Stan attack. In the “South Park” TV show, the Cartman character is often involved in various bad efforts.
“When in doubt, it is pretty safe to assume that Cartman has something to do with it,” Pelkmann joked.
On a more serious note, Pelkmann said that Amazon Web Service and a Spanish service provider’s network have been used for most of the attack’s infrastructure.
“We are working with the industry to shut down the malvertisement network,” Pelkmann said.
Sean Michael Kerner is a senior editor at eWEEK and InternetNews.com. Follow him on Twitter @TechJournalist.