A malicious advert network affecting Amazon, Yahoo and YouTube is nine times larger than expected, according to the networking firm Cisco.
Malverts placed alongside legitimate ads drop spyware, adware or browser hijackers onto victims computers, in a scam that is thought to have been ongoing for at least two and a half years.
Armin Pelkmann, threat researcher at Cisco, said: "The "Kyle and Stan" network is a highly sophisticated malvertising network.
"It leverages the enormous reach of well placed malicious advertisements on very well known websites in order to potentially reach millions of users."
Since first discovering it earlier this month Cisco has isolated 6,500 infected domains and analysed more than 31,000 connections made to it.
A mixture of temporary and more permanent domains are being used to spread the viruses, with a site set up at winrar.com among the most plausible because of its modern design and web address.
"The source of the websites contains a few Spanish words in the JavaScript," Pelkmann added. "Additionally a lot of the Whois records are pointing at services operated out of Spain.
"While these indicators may not be entirely sufficient to determine the location of the masterminds behind this network, it is obvious that a part of the operation is run on servers hosted in Spain."