Cyber Incident Victim: Daily Mail
Date:
Oct 2015
Location:
United Kingdom
Summary
A malvertising campaign leveraging the Angler exploit kit targeted a prominent UK news publication, exposing millions of monthly readers to ransomware. Attackers compromised third-party advertising networks to display malicious ads near the site's toolbar, redirecting users to fraudulent servers hosting the exploit kit. The attack exploited vulnerabilities in unpatched Internet Explorer and Adobe Flash Player installations to deploy CryptoWall ransomware, which encrypted victims' files and demanded Bitcoin payments for decryption. This incident highlighted the persistent threat of malvertising as a vector for large-scale exploitation, utilizing compromised ad auctions to infiltrate systems through trusted platforms.
| CIA Posture | Motives | Tactics, Techniques & Procedures |
|---|---|---|
| Available to members | 1 motive | 1 technique |
| Threat Actors | Type | Location |
|---|---|---|
| 0 actors | Available to members | Available to members |
Description
In October 2015, the Angler exploit kit targeted visitors to the UK-based Daily Mail website through a malvertising campaign. Attackers purchased ad space via third-party advertising networks that served tailored ads based on user data like search history. The malicious ad appeared near the Daily Mail toolbar after attackers won a bidding auction for prominent display placement. When clicked, the ad redirected users to a fraudulent advertising server hosted on Microsoft’s Azure platform, which delivered the Angler exploit kit. This kit deployed known exploits targeting unpatched vulnerabilities in Internet Explorer and Adobe Flash Player. Successful exploitation resulted in the automatic download of CryptoWall ransomware onto vulnerable systems. Infection occurred upon accessing the compromised domain, requiring no additional user interaction beyond the initial ad click. The campaign leveraged Daily Mail’s extensive monthly readership of up to 156 million users to maximize potential infections. Malwarebytes identified the attack, noting Angler’s prior targeting of eBay and Yahoo through similar methods.
The incident led to the encryption of victims’ files, followed by ransom demands in Bitcoin for decryption keys. CryptoWall’s payload operated without requiring further actions from users after initial compromise. Daily Mail’s reliance on third-party ad networks, which balance revenue generation with content screening, created the attack vector. While advertising ecosystems implement controls to filter malicious ads, the Angler operators evaded detection long enough to deploy their payload. The attack exemplified malvertising’s persistence as a favored vector for exploit kits like Angler, which continually adapt to bypass security measures. No containment actions by Daily Mail or the ad networks were detailed in the available source material. The incident underscored the challenges of policing distributed advertising networks at scale, where fraudulent ads often persist until manually identified and removed.