Hackers have harnessed the power of two advertising networks, Google's DoubleClick and Zedo, to run ads that install malware on users' computer.
According to IT security firm Malwarebytes, the Times of Israel, The Jerusalem Post and Last.fm have all been exploited by cybercriminals with malvertising.
Jerome Segura, a senior security researcher with Malwarebytes, said in a blog post his company "rarely see attacks on a large scale like this".
While ad networks work hard to ensure they filter out malware, the occasional piece will slip through the net, meaning on a high-traffic website, malware can spread to a large number of victims. It also means the site serving up the malware is often doing so unknowingly.
He said the ads lead users to sites containing an exploit kit known as "Nuclear".
The malware looks to see if a vulnerable version of Adobe Flash is running or an unpatched version of Internet Explorer. If this is found, it then downloads the Zemot malware, which connects to a remote server and downloads a raft of other malicious applications.
The Zemot malware was identified by Microsoft earlier this month. According to Microsoft, Zemot is usually distributed not only by the Nuclear exploit kit but also by the Magnitude exploit kit and spambot malware Kuluoz.
"What is important to remember is that legitimate websites entangled in this malvertising chain are not infected. The problem comes from the ad network agency itself," said Segura.
Segura warned users to keep their systems up-to date, with current antivirus and anti-malware protection. The firm has also warned the websites about inadvertently serving up malware in advertising.
Earlier this month, Kyle and Stan malvertising showed up on hundreds of websites including Amazon, YouTube and Yahoo.
