Malware-Infested Ads Found on Major Websites

Credit: Lightspring/Shutterstock

(Image credit: Lightspring/Shutterstock)

Break out your ad blocker or your NoScript: Malicious advertisements have been discovered infecting the Web browsers of people who visited certain major websites between Aug. 19 and Aug. 22. Users did not have to click on the ads to be infected.

The "malvertising" was found on, DeviantArt, TMZ, Photobucket, IBTimes,, and, and eventually detected by Dutch Internet-security company Fox-IT. The websites themselves were not hacked; rather, the malicious ads had been spread through the online advertising network AppNexus. (AppNexus quickly removed the ads, which had abused an automated-bidding placement process.)

MORE: 10 Best Ad Blockers and Privacy Extensions

When victims visited websites containing these malicious ads, hidden links triggered a drive-by download. The victims' browsers were redirected to a malicious Web page hosting the Angler browser exploit kit, a software bundle containing exploits for several known flaws in browser plugins, such as Flash Player, Java and Microsoft Silverlight.

Like most exploit kits, Angler tries several different attacks until it finds one that gets through a browser's defenses. It then uses that hole to inject and launch malware — in this case, the Rerdom backdoor Trojan, which establishes a foothold for possibly more malware to be installed. Think of Angler as a hypodermic needle, and Rerdom as the stuff being injected into victims' computers.

Malvertising has been a problem for many years; even the New York Times website was hit in 2009. Unfortunately, the online-advertising industry has created many layers of buyers, referrers, bidders and networks, most of which use computerized processes to rapidly maximize effectiveness and revenue.

Website operators often have no direct relationship with, or control over, the ads that appear on their sites. The highly decentralized nature of the ad-placement process creates opportunities for malicious actors to inject themselves into the process.

What can you do to protect yourself from malicious ads? First, run a good antivirus program, which will detect browser exploit kits hidden in Web pages. We've reviewed our top antivirus picks on Tom's Guide.

Next, you could try to use an ad blocker in your browser. You can also enable click-to-play, a setting in modern browsers that bars each multimedia file, such as an ad that plays music or movies, from running unless you give it express permission.

However, both solutions may be incomplete. Some ad blockers "whitelist" certain ad networks so their ads display, and click-to-play settings won't affect simpler ads.

It might be best to install a plugin, such as NoScript for Mozilla Firefox or Script Blocker for Google Chrome, that blocks all executable browser content. Users will generally be able to temporarily or permanently allow content from certain sites, while continuing to block others — such as that from ad networks.

Jill Scharr is a staff writer for Tom's Guide, where she regularly covers security, 3D printing and video games. You can follow Jill on Twitter @JillScharr and on Google+. Follow us @tomsguide, on Facebook and on Google+.

Jill Scharr is a creative writer and narrative designer in the videogame industry. She's currently Project Lead Writer at the games studio Harebrained Schemes, and has also worked at Bungie. Prior to that she worked as a Staff Writer for Tom's Guide, covering video games, online security, 3D printing and tech innovation among many subjects. 

  • I have my ad blcker on right now. Only blocking 25 ads. On this site. Oups, scrolled down to the next article, now it's 39.
  • nukemaster
    I have my ad blcker on right now. Only blocking 25 ads. On this site. Oups, scrolled down to the next article, now it's 39.
    Ad's do still pay the bills for all these websites.
  • tom10167
    Pretty noble of Tom's to recommend AdBlock when their own site is ad-funded.
  • razor512
    I have my ad blcker on right now. Only blocking 25 ads. On this site. Oups, scrolled down to the next article, now it's 39.
    Ad's do still pay the bills for all these websites.

    while ads do pay the bills, I feel that websites that care enough to vet the ads before displaying them should be rewarded with ad views, for the sites and services which rely on automated ad placement, they deserve to have their ads blocked.

    If they do not care enough to inspect the ads beforehand, then they we should not care enough to unblock their ads.
  • razor512
    If advertisers do not care enough to properly inspect the ads before publishing them, then users should not care enough to unblock their ads.

    While most people are perfectly fine with ads as we understand that they fund the sites we like, the well for ads have been poisoned. Pretty much 99.999% of all ads, advertise the same crap that gets blocked by the spam filter in email. I do not mind non obnoxious ads, but some sites will run ads which have auto playing video or audio. What many sites do not understand is that they can no longer just give an advertiser full control over a section of their site. if the website owner does not care enough to vet each ad, then the users should not care enough to view the ads.

    Website owners need to start meeting the users half way and earn their trust, show the users that you know that is being hosted and are not just giving someone free reign over part of your website.
  • There's a limit at which ads become excessive. If a part was reviewed here, and advertised at a good price for new eeg or amazom (need to bypass filters), well sure I would click it. And buy that part. That's why I'm here. To see if there is anything worth buying.

    I never used to have AdBlck on, until they started putting ads in every benchmark result graph, and I wasn't able to see if higher was better etc. It's actively preventing me from getting information.

    The problem is, it's all or nothing. Either I see all the ads, or none. But that's not my problem, now is it?
  • Vorador2
    Sometimes i feel bad about using adblocker on pages i visit daily, and whitelist them.

    Until the ads start playing music. Or videos, or pop ups. Then i turn it back on.

    Stop using the high paying annoying ads, and i will stop using adblocker.
  • damianrobertjones
    Or, as not everyone wants Chrome etc, add a list to your hosts file that protects your entire PC.
  • RCguitarist
    Adblock plus works great for me. And if you listen to pandora, ad block plus actually removes all commercials from playing, it's great. I do however leave my favorite websites such as toms, rock paper shotgun, etc on the whitelist to support them.
  • Adrienne Boswell
    Recommendation: Use a hosts file. If your hosts file has an entry for as, your browser will just go to that IP address. No need for ad blockers or extensions. I still use Noscript to keep safe from malicious JavaScript, and I have Flash and the like only on demand. I haven't had a virus in over 10 years.