Hackers are setting up plausible phoney websites to spread malware.
A malicious advert network affecting Amazon, Yahoo and YouTube is nine times larger than expected, according to the networking firm Cisco.
Malverts placed alongside legitimate ads drop spyware, adware or browser hijackers onto victims computers, in a scam that is thought to have been ongoing for at least two and a half years.
Armin Pelkmann, threat researcher at Cisco, said: "The "Kyle and Stan" network is a highly sophisticated malvertising network.
"It leverages the enormous reach of well placed malicious advertisements on very well known websites in order to potentially reach millions of users."
Since first discovering it earlier this month Cisco has isolated 6,500 infected domains and analysed more than 31,000 connections made to it.
A mixture of temporary and more permanent domains are being used to spread the viruses, with a site set up at winrar.com among the most plausible because of its modern design and web address.
"While these indicators may not be entirely sufficient to determine the location of the masterminds behind this network, it is obvious that a part of the operation is run on servers hosted in Spain."