'Kyle and Stan' malvertising attack infects millions via Amazon and YouTube

News by Tim Ring

A malicious advertising network dubbed 'Kyle and Stan' has dropped malware on possibly millions of users via hundreds of websites including Amazon, YouTube and Yahoo, according to a Cisco investigation.

The attack has been running since May and is described by Cisco as “highly sophisticated” because it delivers different ‘mutating' adware and spyware depending on whether the recipient is a Windows or Mac user.

It also drops unique malware on every victim to help avoid detection, says the company in an 8 September blog.

Cisco has nicknamed the network ‘Kyle and Stan' because most of the 700-plus domains it identified being used by the attackers are named ‘stan.mxp(1-4 digits).com' or ‘kyle.mxp(1-4 digits).com'.

In the blog, Cisco's Armin Pelkmann, Shaun Hurley and David McDaniel say: “The network leverages the enormous reach of well-placed malicious advertisements on very well-known websites in order to potentially reach millions of users.

“The goal is to infect Windows and Mac users alike with spyware, adware and browser hijackers. It is not too far-fetched that other kinds of malware are being used as well.”

Cisco says the observed total of 700 domains is “likely just the tip of the iceberg”, adding: “The large number allows the attackers to use a certain domain just for a very short time, burn it and move on to use another one for future attacks. This helps avoiding reputation and blacklist-based security solutions.

“We are facing a very robust and well-engineered malware delivery network that won't be taken down until the minds behind this are identified.”

Cisco found just under 10,000 users connecting to the network's domains during its investigation.

Cisco says malvertising (malicious advertising) targets the relatively small number of firms who supply online ads to thousands of websites.

“If an attacker can get one of those major advertisement networks to display an advertisement with a malicious payload just for a few minutes without being detected, then countless machines can be infected by such an attack.”

The Kyle and Stan campaign - which peaked in mid-June and early July but is still ongoing - works by planting a malicious ad on a legitimate site, which redirects the user to another site where they are infected with the malware.

The attackers rely purely on social engineering techniques to get users to install the malware, with no drive-by exploits used so far.

Mac users get the legitimate MPlayerX app bundled with two well-known adware/browser hijackers - Conduit and VSearch.

Windows users get a malware dropper that installs several common spyware/adware apps. Cisco says this dropper “has an interesting way of retrieving its various payloads through a GET request. The dropper is a 32-bit executable written in C++”.

The blog explains: “What is special about the attack is that they are targeting Windows and Mac computers alike.”

All the domains they discovered are hosted by Amazon.

Commenting on the attack, Chris Boyd, a malware intelligence analyst with Malwarebytes, said it had the hallmarks of a well-organised campaign that “has managed to stick around for quite some time”.

He told SCMagazineUK.com via email: “Any malvertising attack which winds up on major ad networks and/or popular websites is always going to be bad news for the average surfer. In fact, it seems a little unusual that this particular round of malvertisements don't take advantage of that traffic with the use of exploit kits such as Angler to increase the danger to potential victims.”

Boyd said that adware usually takes the form of PUPs (potentially unwanted programs) which typically don't pose a major threat, but warned: “Spyware can be particularly unwelcome on a user's machine and is often difficult to remove without dedicated tools.”

He added: “In the past, we've seen banking Trojans used in malvertising outbreaks which isn't something anybody wants on their PC. Even rootkits have appeared in older malvertising attacks, so the sky is unfortunately the limit as far as the criminals are concerned.

“The case for ad-blocking tools and script-controlling browser extensions will only ever be strengthened by incidents such as these, which ultimately impact on the revenue of the sites we like to frequent. In the long run, the individuals behind these attacks harm everybody to some extent.”

Find this article useful?

Get more great articles like this in your inbox every lunchtime

Video and interviews