Malwarebytes detected the attack through users who use its Anti-Exploit software. If someone using Malwarebytes' software went to The New York Times and encountered a malicious ad, the attack would be blocked and also reported to Malwarebytes.
"That's how we are able to say this is where it happened," Segura said.
The large attack on Sunday was presaged by a smaller attack on Friday using a different exploit kit called Rig. Segura theorized that the smaller attack, which still hit some major publishers, may have been a test run for the larger one on Sunday, which he said was 10 times the size normally seen.
Malvertising has proven tough to stamp out. Online advertising companies use a variety of security tools to try and catch malicious ones, but they're far from foolproof.
Also, the byzantine relationships between ad-serving companies and the highly automated way online ads are sold and delivered provides ample opportunity for miscreants to get malicious ones circulating.
"It's hard to imagine, but a lot of the ad networks don't know each other very well and yet they're doing business with each other," Segura said.
The path an ad takes before it is loaded onto Web page is often a long trail of companies that have an ad-related business relationships. Since advertising slots are often sold through real-time bidding, speed is also a factor.
For example, the first request for an ad to be delivered to The New York Times' website might come from Google's DoubleClick servers, Segura said. But the actual ad may come from further down a long chain, and Google may not "always know who is responsible," Segura said.
"That's a bit of a problem," he said.
Sign up for CIO Asia eNewsletters.