Dutch infosec firm Fox IT has spotted a lage scale malvertising campaign that seems to originate from Bulgarian Google ad reseller EngageLab.
The first redirection has been spotted on Tuesday afternoon (click on the screenshot to enlarge it):
“It appears as if all of engagelab.com‘s advertisements & zone IDs are currently redirecting to a domain, which in its turn is redirecting to the Nuclear Exploit Kit,” researcher Maarten van Dantzig shared, noting that this might indicate that the reseller has been compromised.
The exploit kit tries to take advantage of vulnerabilities in unsuspecting visitors’ Adobe Flash, Oracle Java and Microsoft Silverlight software to download and run (still unidentified) malware.
EngageLab is yet to comment on the findings. Google has been informed and has seemingly done something about it, as Fox IT no longer seems malicious redirects from the ad reseller.
In the off-chance this is just a coincidence, administrators are advised to block access to 188.8.131.52, the intermediate site that links the legitimate websites sporting the malicious ads and the domain hosting the exploit kit, being that it’s the only constant asset used in the attack.
Updating the aforementioned software targeted by the exploit kit is also a great idea, and so is using a browser extensions blocking ads from loading, van Dantzig noted.