Anyone who has visited popular domains such as YouTube.com, Amazon.com or Ads.Yahoo.com could be a victim of a new, mutating malware attack distributed through the online ad network adverts displayed on the sites, according to a new blog by networking specialist Cisco.

The blog describes how the online ad malware (which comes in two forms, one for PC, one for Mac), is distributed via online advertising networks - basically by conning one of the large companies whose ads are seen on thousands of sites into forwarding an ad with a malicious payload.

The Register describes the process as, “The high-profile serving domains – along with many others – are, of course, receiving the “malvertising” from online ad networks that have been tricked into hosting the attack content.”

Online ad threat: How it works

The Cisco bloggers say that a number of major domains, listed in their original blog post, have been affected by the current attack. The attack has been nicknamed Kyle and Stan, due to the naming scheme of the subdomains within the group - “stan.mxp2099.com” and “kyle.mxp2038.com”.

Threatpost reports that the likely size of the attack is probably much larger than the 700 domains analyzed by Cisco, and says, “700 domains and nearly 10,000 users have hit these domains and been exposed to the malicious advertisements.”

Threatpost points out that the attack vector is not new - the New York Times has previously fallen victim to a malvertising campaign - but that ‘Kyle and Stan’ takes a unique approach.

Cisco says that the attack delivers a unique malicious payload for every visitor, packaged with a legitimate media player, and a piece of malware which is tailored to each user.

 "Extremely effective attack"

“The idea is very simple: use online advertising to spread malware. This attack form is not new, but extremely effective,” Cisco says.

“The world of online ads has only a few major players. If an attacker can get one of those major online ad networks to display an advertisement with a malicious payload just for a few minutes without being detected, then countless machines can be infected by such an attack.”

The attack comes in various forms, Cisco reports, but so far relies on pure social-engineering, rather than ‘drive-by downloads’ where users who don’t click are infected. Different malware packages are delivered according to platform and user, and the attack is evolving, the bloggers warn.

A discussion of the murky world of malvertising, adware and ‘badware’ by ESET researcher Joan Calvet can be found here.