Cyber Incident Victim: Dailymotion

In December 2015, the video streaming platform Dailymotion, ranked among Alexa’s top 100 global websites, became a vector for a sophisticated malvertising attack distributing the Angler exploit kit. The incident originated through real-time bidding (RTB) within the WWWPromoter ad marketplace, where a rogue advertiser submitted a malicious decoy advertisement. This ad initiated a multi-stage redirection chain through compromised .eu domains, ultimately delivering Angler EK payloads. Attackers employed SSL encryption, IP blacklisting, and JavaScript obfuscation to evade detection, displaying malicious content only once per genuine visitor. Angler EK further conducted fingerprinting to avoid security researchers, honeypots, or web crawlers, ensuring exploits targeted valid victims. The attack exploited Flash vulnerability CVE-2015-7645 to deliver Bedep malware and ad fraud payloads. Security researchers confirmed the infection chain after reproducing a live attack via an ad call on Dailymotion, having previously observed related .eu domain activity without capturing final payloads.

The infection flow began when Dailymotion users accessed a specific video page, triggering an ad call to Atomx’s p.ato.mx domain. This redirected to WWWPromoter’s creative.wwwpromoter.com, which loaded malicious JavaScript from a sanitized .eu domain. Subsequent requests to additional .eu URLs led to an SSL-enabled redirector (worldbesttraffic.eu) and finally to the Angler EK landing page (ftuifio.vpkoqbs.eu). Researchers notified Atomx, which identified WWWPromoter and the malicious buyer as the source. The ad network and involved parties rapidly isolated the threat, limiting user exposure. Malwarebytes Anti-Exploit blocked the Flash exploit for protected users. The incident highlighted the difficulty of proving malvertising in lab environments due to evasion techniques, as well as the risk of reputable high-traffic sites being compromised via third-party ad networks.