Cyber Incident Victim: Microsoft
Date:
Jan 2016
Location:
Germany
Summary
The MSN homepage was compromised via a malvertising campaign exploiting the AdSpirit ad platform, primarily targeting German users through a fraudulent Lidl supermarket advertisement. Attackers utilized RIG and Neutrino exploit kits delivered through newly registered domains with suspicious registrant details, redirecting visitors to malicious payloads; while specific payloads in these incidents were not captured, similar attacks during the period distributed CryptoWall ransomware. The malicious ad objects were promptly disabled after notification to AdSpirit and AppNexus, though the campaign highlighted ongoing abuse of ad networks to expose users to exploit kits and malware.
| CIA Posture | Motives | Tactics, Techniques & Procedures |
|---|---|---|
| Available to members | 1 motive | 1 technique |
| Threat Actors | Type | Location |
|---|---|---|
| 0 actors | Available to members | Available to members |
Description
On January 19, 2016, malvertising campaigns leveraging Microsoft’s MSN homepage exposed visitors, primarily in Germany, to malware through compromised advertisements. Attackers abused the AdSpirit advertising platform to deliver malicious content via a Lidl supermarket ad, marking a recurrence of malvertising incidents on MSN and AdSpirit. Two distinct attack sequences were observed. The first incident originated with an ad call to lidl.adspirit.de, redirecting through rogue domains getkampagnen.com and norgren.top—registered on January 12 and January 6, 2016, respectively—to deliver the RIG exploit kit. The second incident involved an ad call via AppNexus (ib.adnxs.com), redirecting through my-tracker.space (registered January 17, 2016) and gamergrad.top (registered January 12, 2016) to deploy the Neutrino exploit kit. Both exploit kits targeted vulnerabilities in users’ systems, though the specific payloads in these attacks were not captured. Historical data from contemporaneous RIG exploit kit campaigns indicated a likelihood of CryptoWall ransomware infections, which encrypt files and demand payment for decryption.
The attacks exhibited patterns consistent with prior malvertising incidents, including the use of newly registered domains obscured by privacy services like [email protected] and falsified registrant details such as "Jhon Smith." Malwarebytes researchers identified the malicious activity and promptly notified AdSpirit, which confirmed and addressed the compromises. AppNexus, the ad exchange platform involved in the second incident, deactivated the malicious ad objects and initiated a review of the attacks. The incidents underscored the persistent risk of malvertising via high-traffic platforms like MSN, impacting users who visited the site without requiring additional interaction. While Microsoft’s direct response was not detailed in the report, the collaboration between security researchers and advertising intermediaries led to containment of the active threats. The operational disruption to users stemmed from potential system compromises, particularly ransomware infections, though the full scope of affected systems was not quantified.