Apparently this had been going on for a couple of years...

"The criminals were able to send banner ads and javascript to their
targets' computers by pushing both into ad networks. These networks
aggressively scan advertisers' javascript for suspicious code, so the
criminals needed to sneak their bad code past these checks.
To do this, they made tiny alterations to the transparency values of the
 individual pixels of the accompanying banner ads, which were in the PNG
 format, which allows for pixel-level gradations in transparency. The
javascript sent by the attackers would run through the pixels in the
banners, looking for ones with the telltale alterations, then it would
turn that tweaked transparency value into a character. By stringing all
these characters together, the javascript would assemble a new program,
which it would then execute on the target's computer.

This new program triggered a network request to a site controlled by the
 attackers, which repeatedly checked the target's computer to see if it
was running inside a virtual machine (a telltale sign of a paranoid
user, possibly a security researcher who would figure out what was going
 on) or whether it had any anti-virus software. Once it was satisfied
that the target was not in a position to detect active attacks, it
launched exploits targeted at Internet Explorer/Flash to hijack the
machine and gather the user's keystrokes, with a special emphasis on
bank-industry information."

   [1]http://boingboing.net/2016/12/07/for-two-years-criminals-stole.html
   More:
   [2]http://arstechnica.com/security/2016/12/millions-exposed-to-malverti
   sing-that-hid-attack-code-in-banner-pixels/

References

   1. http://boingboing.net/2016/12/07/for-two-years-criminals-stole.html
   2. http://arstechnica.com/security/2016/12/millions-exposed-to-malvertising-that-hid-attack-code-in-banner-pixels/