'Kyle and Stan' malvertising attack infects millions via Amazon and YouTube
'Kyle and Stan' malvertising attack infects millions via Amazon and YouTube

The attack has been running since May and is described by Cisco as “highly sophisticated” because it delivers different ‘mutating' adware and spyware depending on whether the recipient is a Windows or Mac user.

It also drops unique malware on every victim to help avoid detection, says the company in an 8 September blog.

Cisco has nicknamed the network ‘Kyle and Stan' because most of the 700-plus domains it identified being used by the attackers are named ‘stan.mxp(1-4 digits).com' or ‘kyle.mxp(1-4 digits).com'.

In the blog, Cisco's Armin Pelkmann, Shaun Hurley and David McDaniel say: “The network leverages the enormous reach of well-placed malicious advertisements on very well-known websites in order to potentially reach millions of users.

“The goal is to infect Windows and Mac users alike with spyware, adware and browser hijackers. It is not too far-fetched that other kinds of malware are being used as well.”

Cisco says the observed total of 700 domains is “likely just the tip of the iceberg”, adding: “The large number allows the attackers to use a certain domain just for a very short time, burn it and move on to use another one for future attacks. This helps avoiding reputation and blacklist-based security solutions.

“We are facing a very robust and well-engineered malware delivery network that won't be taken down until the minds behind this are identified.”

Cisco found just under 10,000 users connecting to the network's domains during its investigation.

Cisco says malvertising (malicious advertising) targets the relatively small number of firms who supply online ads to thousands of websites.

“If an attacker can get one of those major advertisement networks to display an advertisement with a malicious payload just for a few minutes without being detected, then countless machines can be infected by such an attack.”

The Kyle and Stan campaign - which peaked in mid-June and early July but is still ongoing - works by planting a malicious ad on a legitimate site, which redirects the user to another site where they are infected with the malware.

The attackers rely purely on social engineering techniques to get users to install the malware, with no drive-by exploits used so far.

Mac users get the legitimate MPlayerX app bundled with two well-known adware/browser hijackers - Conduit and VSearch.

Windows users get a malware dropper that installs several common spyware/adware apps. Cisco says this dropper “has an interesting way of retrieving its various payloads through a GET request. The dropper is a 32-bit executable written in C++”.

The blog explains: “What is special about the attack is that they are targeting Windows and Mac computers alike.”