The malicious ads are distributed via the AppNexus ad platform (adnxs.com). Users who click on them are redirected to a landing page for the Angler exploit kit, which then downloads TeslaCrypt ransomware. Historically, TeslaCrypt ransom demands have asked victims for $500 in bitcoins in order to unlock encrypted files.
F-Secure initially noted in a blog post that the campaign ended very quickly, peaking over a period of five hours spanning Feb. 9 and 10. However, Karmina Aquino, senior manager of threat research at F-Secure, told SCMagazine.com in a Thursday email correspondence, “I checked our telemetry again this afternoon and the activity has resumed, which still show[s] evidence of Skype displaying the malicious ads.”
Users who have been victimized via their browsers encountered the malicious advertising while visiting one of several targeted websites, including Italian online marketplace eBay.it, gaming sites Wowhead, GSN.com, ZAM and Wikia.com, the news site Daily Mail Online and the MSN.com Internet portal.
Clicking the ad from Skype, on the other hand, launches the user's default browser, and so the effect would be the same, explained Aquino, adding, “These activities have not led us to conclude that Skype is the main target of the attackers; rather, the infection that happened through Skype is just a side effect because Skype uses the same ad platform that the attackers compromised.”