Cyber Incident Victim: KMOV
Date:
May 2016
Location:
United States of America
Summary
A CBS-affiliated television station experienced a malvertising attack where a rogue advertiser exploited the Taggify ad platform to distribute the Angler exploit kit to visitors. The attackers used compromised GoDaddy accounts to create subdomains that dynamically served malicious content, evading detection by displaying benign ads to scanners while redirecting users to exploit kits, with infrastructure including specific domains and IP addresses; the issue was resolved through coordinated efforts with the involved platforms.
| CIA Posture | Motives | Tactics, Techniques & Procedures |
|---|---|---|
| Available to members | 4 motives | 1 technique |
| Threat Actor | Type | Location |
|---|---|---|
| 1 actor | Available to members | Available to members |
Description
In May 2016, two CBS-affiliated television station websites—KMOV in St. Louis and WBTV in Charlotte—inadvertently exposed visitors to the Angler exploit kit through compromised advertisements. A malicious actor abused the Taggify self-serve advertising platform to distribute malicious content via rogue ads. The attacker employed subdomains created through hijacked GoDaddy accounts to host malicious JavaScript and image files, which dynamically alternated between serving legitimate ads and malicious redirects based on factors like user agent strings, IP addresses, and time of day. This technique allowed the campaign to evade automated scanners and web crawlers, which received benign content, while human visitors were redirected through an iframe to Angler exploit kit landing pages. The attack chain began on KMOV’s domain (kmov.com), routed through Taggify’s platform (data.rtbfy.com), and leveraged a rogue advertiser’s domain (som.barkisdesign.com) hosting a malicious script. This script ultimately redirected users to a Angler exploit kit payload hosted on parkwateavereverende.fredricholmgren.se. Malwarebytes Labs identified the ongoing attack and reported it to Taggify, the affected publishers, and GoDaddy.
The malvertising campaign utilized the parked domain som.barkisdesign.com (IP: 199.255.137.197) to host deceptive ad banners, which concealed the malicious redirects. The Angler exploit kit targeted unpatched vulnerabilities in browsers or plugins to deploy malware onto victims’ systems. Taggify and its partners collaborated to rapidly identify and terminate the attack, as acknowledged in a May 5 update from Malwarebytes. No further incidents involving Taggify were observed by November 2016, with the company implementing proactive detection tools to prevent similar malvertising attacks. The incident demonstrated the risks of third-party ad networks being exploited to distribute exploit kits, impacting the credibility of legitimate media outlets and exposing their audiences to drive-by download threats.