A three week campaign recently discovered by Malwarebytes used casino websites as a decoy to silently infect users with malware. First, visitors to a number of websites, including torrent trackers, live streams and pirated software sites, were served malicious advertising. The advertising automatically redirected them to one of three casino websites: onlinecasinofun.org, pennyslot.net, or playcasino77.com. These websites silently ran the Angler or Neutrino Exploit Kit on user machines, which then infected them with additional malware. 

An exploit kit such as Angler or Neutrino is a program designed to identify software vulnerabilities in users’ machines and exploit these flaws by infecting the user with opportunistic malware. In this case, the exploit kit was infecting users with over thirty different forms of malware including CryptoWall ransomware, which encrypts users’ files and demands a ransom to be paid in order to unlock them. 

The three week campaign had the chance to infect a significant amount of users. According to the researchers, “before September the traffic on those three domains was quasi-nonexistent but all of the sudden spiked through the roof for a combined total of over 1 million visits.” The researchers also looked at the website traffic generated by the advertising networks serving the malicious content. According to SimilarWeb, the ad networks generated an estimated 2 billion visitors in October. Jerome Segura, a senior security researcher, stated that “In all likelihood, a very large number of people were exposed to malware because of this campaign.” 

This malware campaign demonstrates the gamble people take when visiting illegitimate torrent and piracy websites. The researchers note that “Since this campaign affected dubious publishers likely to turn a blind eye on ‘advertising issues’ as well as visitors knowing they were consuming illegal content, there was little reason for anybody to report any incident.” In the end, users were dealt a bad hand.