Cisco Blogs

Cisco Blog > Threat Research

Threat Spotlight: The Imperiosus Curse –A Tool of the Dark Arts

Authors: William Largent, Jaeson Schultz, Craig Williams. Special thanks to Richard Harman for his contributions to this post.

As consumers, we are constantly bombarded by advertising, especially on the World Wide Web. There is a lot of money to be made either pushing Internet traffic, or displaying ads to consumers. Total annual Internet advertising revenue from 2013 was over US $117bn, and will approach US $200bn by the year 2018. The online advertising industry field is already awash with many players, each clamoring for a piece of the Internet advertising pie. In fact, so many ad impressions are bought and sold daily, that it’s nearly impossible to keep track of who is buying and selling what. 

On one side of the online advertising spectrum are publishers. These are domains that receive Internet traffic and make money by displaying advertisements. On the other side of the spectrum we find advertisers who wish to sell products. And in the middle are ad-networks/ad-exchanges: marketplaces where publishers and advertisers can come together to wheel-and-deal on ad impressions. The astonishingly large number of online advertising industry middlemen between buyers and sellers creates terrific opportunities for bad actors to hide. The result is malware delivered through the online advertising ecosystem, A.K.A. “malvertising”.

How “bad guys” view the online ad industry.

How do malicious ads actually make it to end users? In our attempt to answer that question, Talos has uncovered a piece of Internet malvertising infrastructure that is both highly robust, and highly anonymized. It has been an Internet fixture for almost a sesquidecade, with redirection domains operating since early 2001. This infrastructure was designed specifically to focus Internet traffic towards advertising endpoints, unfortunately with little regard paid to legitimacy of the final destination. 
Read More »

Tags: , ,

Bad Browser Plug-ins Gone Wild: Malvertising, Data Exfiltration, and Malware, Oh my!

This post was authored by Fred ConcklinWilliam Largent,  Martin Rehak,  Michal Svoboda, and Veronica Valeros.

During an average day of surfing the web via computer, smartphones, and tablets, we are constantly deluged by advertising. Total annual Internet advertising revenue will approach $200bn by the year 2018, making it an extremely lucrative business and in turn an attractive attack vector known as malvertising.

Read More »

Tags: , , , , ,

Be More Effective, Be More Efficient: The Mantra for Many Adversaries in 2014

Adversaries are committed to continually refining or developing new techniques to conceal malicious activity, decrease their reliance on other techniques that may be more detectable, and become increasingly more efficient and effective in their attacks. Below are just three examples—explored in detail in the newly released Cisco 2015 Annual Security Report—of how malicious actors met these goals in 2014. These trends were observed by Cisco Talos Security Intelligence and Research Group throughout last year, and analyzed by the team using a global set of telemetry data:

  • Use of malvertising to help deliver exploit kits more efficiently—Talos noted three exploit kits we observed “in the wild” more than others in 2014: Angler, Goon, and Sweet Orange. More than likely, their popularity is due to their technical sophistication in terms of their ability to evade detection and remain effective. The Sweet Orange kit, for example, is very dynamic. Its components are always changing. Adversaries who use Sweet Orange often rely on malvertising to redirect users (often twice) to websites that host the exploit kit, including legitimate websites.
  • Increase in Silverlight exploitation—As we reported in both the Cisco 2014 Midyear Security Report and the Cisco 2015 Annual Security Report, the number of exploit kits able to exploit Microsoft Silverlight is growing. While still very low in number compared to more established vectors like Flash, PDF, and Java, Silverlight attacks are on the rise. This is another example of adversaries exploring new avenues for compromise in order to remain efficient and effective in launching their attacks. The Angler and Goon exploit kits both include Silverlight vulnerabilities. Fiesta is another known exploit kit that delivers malware through Silverlight, which our team reported on last year.


  • The rise of “snowshoe spam”—Phishing remains an essential tool for adversaries to deliver malware and steal users’ credentials. These actors understand that it is more efficient to exploit users at the browser and email level, rather than taking the time and effort to attempt to compromise servers. To ensure their spam campaigns are effective, Talos observed spammers turning to a new tactic last year: snowshoe spam. Unsolicited bulk email is sent using a large number of IP addresses and at a low message volume per IP address; this prevents some spam systems from detecting the spam, helping to ensure it reaches its intended audience. There is also evidence that adversaries are relying on compromised users’ machines as a way to support their snowshoe spam campaigns more efficiently. Snowshoe spam contributed to the overall increase of spam volume by 250 percent in 2014.

These are only a few of the threat intelligence findings presented in the Cisco 2015 Annual Security Report. We encourage you to read the whole report, but also, to stay apprised of security trends throughout the year by following our reports on the Cisco Security blog. Talos is committed to ongoing coverage of security threats and trends. In fact, in the Cisco 2015 Annual Security Report, you’ll find links to several posts that our researchers published throughout 2014, and were used to help shape and inform our threat intelligence coverage in the report.

Tags: , , , , ,

Cisco Email Security Stays Ahead of Current Threats by Adding Stronger Snowshoe Spam Defense, AMP Enhancements, and More…

If you read the recently released Cisco Annual Security Report, you will have learned how spammers have adopted a “Snowshoe” strategy, using a large number of IP addresses with a low message volume per IP address, to send spam, preventing some spam systems from sinking the spam. This yielded a 250 percent increase in spam from January 2014 to November 2014. Or, perhaps the fact that malicious actors are using malvertising (malicious advertising) from web browser add-ons as a medium for distributing malware and unwanted applications caught your eye in the report. In order to protect against these types of emerging threats, Cisco showcases its continued thought leadership in email security to offer even greater protection and control across the attack continuum, while also providing additional flexibility for centralized management. Read More »

Tags: , , , , , , , , , , ,

Threat Spotlight: “Kyle and Stan” Malvertising Network 9 Times Larger Than Expected

This post was authored by Armin Pelkmann.

On September 8th, Cisco’s Talos Security Intelligence & Research Group unveiled the existence of the “Kyle and Stan” Malvertisement Network. The network was responsible for placing malicious advertisements on big websites like,,, and 70 other domains. As it turns out, this was just the tip of the iceberg. Ongoing research now reveals the real size of the attackers’ network is 9 times larger than reported in our first blog. For more details, read the Kyle and Stan Blog.

The infographic below illustrates how much more of the malvertisement network was uncovered in comparison to our first assessment. We have now isolated 6491 domains sharing the same infrastructure. This is over 9 times the previously mentioned 703 domains.  We have observed and analyzed 31151 connections made to these domains. This equals over 3 times the amount of connections previously observed. The increase in connections is most likely not proportional to the domains due to the fact that a long time that has passed since the initial attacks.


The discovery difference from the previous blog to this one in raw numbers. With more than 3-times the now observed connections and over 9-times the revealed malicious domains, this malvertising network is of unusually massive proportions.

Read More »

Tags: , , , , , , , , , , , , , , , , , ,