According to a new cybersecurity industry report, YouTube videos are the newest targets for malicious advertising. The current rash of malvertising attacks use an aggressive exploit known as Sweet Orange and have redirected more than 113,000 users in only a month, according to security researcher Joseph C. Chen.

Malvertising schemes trick users into clicking on what looks like a legitimate ad before redirecting them to malicious sites. The types of schemes can cause major trouble for legitimate advertisers, as customers can become cautious of clicking on any ads for fear of being compromised. Hackers utilize malicious advertising in order to collect a large number of victims in a short amount of time, and a high-traffic site like YouTube can offer a massive pool of potential targets.

The Sweet Orange exploit being used looks for machines with one of four vulnerabilities that can affect Internet Explorer, Java or Adobe Systems’ Flash application, PC World reported. If the exploit is used correctly, malware is delivered to the infected device. The malware commonly used in these attacks, KOVTER, is often involved in ransomware campaigns as well. Users of the Internet Explorer browser appear to be most at risk and researchers recommend using an up-to-date version to avoid being compromised.

Chen noted in a blog post about the attacks that the strategic placement of the ads is especially concerning, as it is the videos that have been viewed the most that are featuring malicious ads. One of the videos Chen tracked was a music video posted by a major record label with more than 11 million hits, Business Insider reported.

Malvertising Network Employed Evasive Measures

According to Chen, the YouTube ads are not leading users to malicious sites themselves. Traffic flows through two advertising sites prior to victims encountering anything nefarious, leading researchers to conclude that the cybercriminals behind the scheme bought their traffic from legitimate ad providers.

To create the illusion of a legitimate service, the hackers modified the domain name service of a Polish government site to include subdomains directing traffic to their own servers. To further avoid suspicion, traffic was first redirected through two servers in the Netherlands before eventually ending up on servers in the U.S.

The industry report found that malvertising attacks are overwhelmingly taking place in the U.S., with 95.8 percent of all instances occurring in the country. YouTube owner Google has had growing problems with malicious advertising in recent years, removing 130 million more suspicious ads in 2013 than it did the year before, according to Business Insider.

As cybercriminals increasingly target major websites to host their malware, enterprise security needs to become a bigger priority. For companies looking to protect their sensitive information and that of their customers, utilizing a third-party cybersecurity provider to protect privileged data is the most reliable way to ensure data security.

Entrust Datacard