The attack originates from a pornographic site that is displaying adverts through an ad agency called AdXpansion.com. The ad is not made in Flash, instead it is a GIF animated picture which in theory should make reading the underlying code much easier. But the mechanism used to perform this action is not clear and it is keeping a security researcher up at night. The code is used to search on a string with a regular expression. It will try to match the letters u, s and i followed by the = sign. The result is that this ad is malicious and it redirects the browser to an exploit kit landing page.”]
Source: https://blog.malwarebytes.com/threat-analysis/2014/11/the-proof-is-in-the-cookie/