Malvertising campaign used Wajam browser extension to infect PCs

David bisson
David Bisson

Malvertising campaign used Wajam browser extension to infect users

Researchers recently spotted a malvertising campaign that used the Wajam browser add-on to redirect users to the Angler exploit kit.

On Monday, Malwarebytes security researcher Jérôme Segura published a blog post in which he explains how he and his colleagues had been investigating a recent malvertising attack when they came across something interesting.

They found that each of the browser sessions contained additional code injected by Wajam, a browser extension that injects low-quality ad banners into existing web-pages by pulling code from various ad networks.

Sign up to our free newsletter.
Security news, advice, and tips.

Stuffed ad

“The problem with this business model (especially with low quality ads), is that sooner or later something bad is bound to happen. Case in point, the following malvertising attack infected users because they had the Wajam browser add-on that loaded an advert via the Adk2x (Plymedia) ad network.”

If users click on the advert, which is paid for by a fraudulent advertiser, they could be redirected to a landing page for the malicious Angler exploit kit, which has the ability to install all sorts of unpleasantness onto computers.


Segura has since reported the malvertising campaign to Plymedia.

This incident is believed to be connected with another attack campaign that targeted celebrity gossip news site TMZ, Rotten Tomatoes, and other online publishers over the past few weeks.

For at least a month now, it has been known that Wajam commonly installs itself onto users’ machines without their consent if it comes bundled with legitimate software. The extension is not malicious, per se, but it does have the ability to inject ads into Google search results and into any site to which you navigate, a feature which can be leveraged by malvertisers.

Clearly, the add-on is a potentially unwanted program. For information on how you can remove it and protect yourself against attack campaigns similar to the one observed by Malwarebytes, click here.

David Bisson is an infosec news junkie and security journalist. He works as Contributing Editor for Graham Cluley Security News and Associate Editor for Tripwire's "The State of Security" blog.

What do you think? Leave a comment

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.