The Media Trust’s malware team, which provides data protection and security, has discovered a malware campaign — about 21 separate incidents — that hit dozens of global digital media publishers and at least 15 ad networks.

The malware uses JavaScript commands to hide within HTML5 creative ads. The malware is broken into chunks, making it hard to detect by the same attributes that enable HTML5 to render images, videos and audio. It then reassembles when certain conditions are met.

HTML5 malware isn’t new, but this is “a bit of code we have not seen before,” said Brandon Chen, malware desk manager at The Media Trust. “There’s an extra block of code that executes the redirect on the page.”

Chen said that buyers, publishers and all those in between need to take responsibility to monitor activity coming from their platforms.

There are several reasons for redirects such as impression fraud, but in this case the reason is for the person viewing the page to give up personal information.

In a blog post, Patrick Ciavolella, head of malware and analytics at The Media Trust, describes how the scale of the attack marks a turning point for HTML5’s alleged security by demonstrating advances that malware developers have made in exploiting the open standards’ basic functions to launch an attack.

When a user views the webpage, the JavaScript checks the device to determine whether the device is iOS and if the user is connected through their carrier.

When the device meets certain criteria, the JavaScript inserts the malicious code into the website. The malware is reassembled and issues a separate call to automatically redirect the click to a new domain.

It then serves a pop-up ad requesting the person to input personal information. As this occurs, the JavaScript puts together the ad’s various components.

Ciavolella notes in the blog post that stopping this malware has become more urgent than in the past, with the enforcement of the European General Data Protection Regulation (GDPR).

Those responsible for allowing the malicious malware to remain on the site could become responsible, Chen added. “It’s not difficult to see how malicious actors could start using the GDPR framework against you,” he said.

The GDPR, which penalize infringing organizations as much as 4% of their annual revenue, is a precursor to what appears to be a growing trend around the world toward greater online privacy. 

The Media Trust notes that this campaign is quickly spreading through the online world, waiting for individuals with the right devices to trigger the collection of personally identifiable information.