In the campaign, users running vulnerable versions of Internet Explorer were targeted, Joseph Chen, a fraud researcher at the firm, said in a Tuesday blog post. Chen explained the redirection method used by attackers, as YouTube visitors weren’t sent directly to malicious sites.
“Instead, the traffic passes through two advertising sites, suggesting that cybercriminals behind this campaign bought their traffic from legitimate ad providers,” Chen wrote. “In order to make their activity look legitimate, the attackers used the modified DNS information of a Polish government site.” Instead of compromising the site, miscreants altered DNS information by “adding subdomains that lead to their own servers,” he added.
Ultimately, the attacks led to malware, called “Kovter,” which is used to carry out ransomware scams.