Cyber Incident Victim: WBTV

On or around May 4, 2016, a malvertising attack impacted visitors to two CBS-affiliated television station websites: KMOV in St. Louis and WBTV in Charlotte, North Carolina. A rogue advertiser compromised the Taggify self-serve advertising platform to deliver the Angler exploit kit through malicious banner ads. Attackers hijacked GoDaddy accounts to register subdomains that hosted both legitimate-looking ad content and malicious code, enabling them to alternate between clean and infected advertisements based on factors such as time of day, user agent, and IP address blacklists. The primary malicious domain appeared parked with no active content, while its subdomain delivered the exploit kit through a deceptive iframe redirect. This technique allowed the attackers to evade detection by serving benign ads to web crawlers and security scanners while redirecting actual visitors to compromised servers.

The attack chain began when visitors accessed KMOV.com, which loaded an ad from Taggify's platform (data.rtbfy.com). This triggered a connection to the rogue advertiser's server at som.barkisdesign.com, which delivered a malicious JavaScript file. The script redirected users to the Angler exploit kit hosted at parkwateavereverende.fredricholmgren.se, where exploitation attempts occurred. At the time of Malwarebytes' initial report, the attack remained active. The security firm notified Taggify, the affected publishers, and GoDaddy about the ongoing compromise. Identified indicators of compromise included the domain som.barkisdesign.com and IP address 199.255.137.197. Subsequent updates confirmed Taggify's collaboration in resolving the incident by May 5, with the company later implementing proactive detection tools to prevent similar malvertising attacks as noted in a November update. The incident exposed visitors to drive-by download attempts leveraging known vulnerabilities in the Angler exploit kit.