Large malvertising campaign under way involving DoubleClick and Zedo

Earlier today, we warned people that both The Times of Israel and The Jerusalem Post were affected by a malvertising attack.

It appears that this is a much larger and ongoing campaign that is affecting a number of other popular websites.

The reason this is really big is because it involves (a subsidiary of Google for online ads) and Zedo (a popular advertising agency).


The latest victim of this campaign is, the popular music streaming site:


The malware payload distributed onto unsuspecting visitors was identified as Zemot by Microsoft in their MSRT for September  (click to enlarge):


Looking at our logs we first detected this new attack pattern on August 30th, at 2 AM. These are the URLs we caught (posted on PasteBin).

What is important to remember is that legitimate websites entangled in this malvertising chain are not infected. The problem comes from the ad network agency itself.

We rarely see attacks on a large scale like this, so we highly recommend that people keep their systems up-to date, with current antivirus and anti-malware protection. Malwarebytes Anti-Exploit also detects and blocks these attacks without using any sort of signatures.

We will keep you updated as this is still developing.


Update (09/19/14 9:20 AM PT): It appears that the malicious redirection has stopped. Last activity was detected by our honeypots around midnight last night, and nothing else since then. We are still monitoring the situation and will update here if necessary.


Jérôme Segura

Principal Threat Researcher