Cyber Incident Victim: Dailymotion
Date:
Jun 2014
Location:
United States of America
Summary
The popular video-sharing platform Dailymotion was compromised via an injected iframe that redirected users to the Sweet Orange Exploit Kit, leveraging vulnerabilities in Java, Internet Explorer, and Flash Player to deploy malware. Successful exploitation resulted in the download of Trojan.Adclicker, which artificially generated pay-per-click ad traffic to generate attacker revenue. The campaign primarily targeted visitors in the US and Europe, capitalizing on the site's high traffic volume to maximize potential infections. The compromise was subsequently resolved, halting further redirections to the exploit kit.
| CIA Posture | Motives | Tactics, Techniques & Procedures |
|---|---|---|
| Available to members | 1 motive | 1 technique |
| Threat Actors | Type | Location |
|---|---|---|
| 0 actors | Available to members | Available to members |
Description
On June 28, 2014, attackers compromised the Dailymotion video-sharing platform by injecting malicious code into its infrastructure, redirecting visitors to the Sweet Orange Exploit Kit. The exploit kit leveraged vulnerabilities in Java, Internet Explorer, and Flash Player to deliver payloads onto vulnerable systems. Upon accessing Dailymotion, users were silently redirected via an injected iframe to an intermediary site, which subsequently directed them to a heavily obfuscated Sweet Orange landing page. The kit performed automated scans for outdated plugins on victim machines, deploying tailored exploits based on detected weaknesses. Successful exploitation resulted in the download of Trojan.Adclicker, malware designed to simulate fraudulent pay-per-click advertising traffic, generating illicit revenue for attackers. The campaign primarily targeted users in the United States and Europe, regions where Dailymotion maintained significant traffic volumes. By July 3, 2014, the compromise had been resolved, with no further redirections observed. Dailymotion’s inclusion in Alexa’s top 100 global websites amplified the attack’s potential scale, though exact infection rates remain unspecified.
Symantec confirmed its intrusion prevention systems (IPS) and antivirus signatures had existing detections for Sweet Orange Exploit Kit activity since 2013, providing protection to customers with updated defenses. The exploit kit’s infrastructure delivered exploits for multiple vulnerabilities, though specific CVEs were not disclosed in available reports. Trojan.Adclicker’s payload operation focused on covert ad-click fraud rather than data theft or system destruction. No evidence suggested secondary malware deployment or lateral movement beyond the initial compromise. The incident underscored the risk of leveraging high-traffic platforms for exploit distribution, though Dailymotion’s remediation efforts halted further infections within approximately five days. Symantec emphasized the importance of regular software updates to mitigate known vulnerabilities exploited in such campaigns.