This from the fantastic Google paper "All Your iFRAMEs Point to Us":
The landing page in our example
refers to a Dutch radio station’s web site. The radio station in question was
showing a banner advertisement from a German advertising site. Using
JavaScript, that advertiser redirected to a prominent advertiser in the US,
which in turn redirected to yet another advertiser in the Netherlands. That
advertiser redirected to another advertisement (also in the Netherlands) that
contained obfuscated JavaScript, which when un-obfuscated, pointed to yet
another JavaScript hosted in Austria. The final JavaScript was encrypted and
redirected the browser via multiple IFRAMEs to adxtnet.net, an exploit site
hosted in Austria. This resulted in the automatic installation of multiple
Trojan Downloaders.
According to the paper, 12% of the 1.3% of Google searches that return a malicious link are due to Advertising syndicates. The quote illustrates how convoluted this can all get.
I’ll have more to say about the paper later.
(Thanks, Hoff-man, for my bedtime reading.)