The main reason I started using ScriptSafe was because I got infected with a piece of malware, a clock set program that also sent the writer my internet tracking history, through a banner ad on a web comic site that used a javascript vulnerability. I know is quite possible, and used frequently. In my case, it was by a "legitimate" advertising company. They didn't have the intent of stealing passwords or robbing people or companies, but they didn't disclose the full nature of the program and used a javascript vulnerability to install it on people's systems without permission. Another particularly insidious part was that the javascript vulnerability didn't even require a click. The user just had to have their mouse pass over the banner, and it would trigger. I don't remember the name of the program or the company as this was back in 2004 some time, but once discovered, many web sites quit using that advertising company , and they eventually went out of business.
I also happen to know that the old "XP Anti-virus" fake anti-virus extortionware was also frequently installed using javascript vulnerabilities as well as flash vulnerabilities. That program and all its variants was a nightmare for me when I was working desktop support. I do all I can to avoid that these days.
I did find this article that you guys might find interesting:
http://www.infosecstuff.com/how-hackers-use-javascript-...
All a hacker has to do is get into an advertiser's site and insert a few lines calling their own script, and whenever that particular banner is served up, it has a chance to infect a system. All it takes is a click, or even a mouseover in some cases, and the system gets infected.
I can't tell which advertiser it is, as I am not a programmer. I am not capable of tracking through the lines of code to find the particulars, plus it refreshes twice per second, so the listing for the script that triggers it disappears too quickly to even get listed in ScriptSafe for approval. The ScriptSafe list closes ever time the page closes and requires another click to open it every time the page refreshes, which makes it quite difficult to track this one. I think they did that on purpose to avoid detection. I'm just letting you know what's happening. It's up to you and your investigators to figure out the particulars, and hopefully disclose that info to the police for an arrest.