Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Malware & Threats

Malvertising Attack Served Using AOL Ad Network: Cyphort

Security company Cyphort has detected a malvertising attack that hit multiple websites, including Huffington Post and LA Weekly.

Security company Cyphort has detected a malvertising attack that hit multiple websites, including Huffington Post and LA Weekly.

The culprit was an AOL ad network. According to Cyphort, the firm first detected the infection on the Canadian version of Huffington Post (huffingtonpost.ca) Dec. 31, and then on Huffingtonpost.com on Jan. 3. Cyphort notified AOL of the situation, and the attacks stopped Jan. 5.

“In this case all the malicious ads came via advertising networks that belong to AOL,” explained Nick Bilogorskiy, director of security research at Cyphort. “We don’t know exactly how it got there. When we consulted our logs we… [saw] the issue started in late October. So, one possibility is that AOL itself has been breached. Another possibility is that attackers are submitting the malicious ads and have AOL approving these ads for use in the ad network.”

According to Cyphort, the ad redirected users through multiple hops. The landing page served an exploit kit that hit victims with a Flash exploit and a VB script. The script in turn downloaded the Kovter Trojan executable to %temp%. The malvertising was served from advertising.com, which has been linked to attacks on several sites during the past several days.

“Of particular interest in this attack is the unique use of redirection via HTTPS (Hypertext Transfer Protocol Secure, a communications protocol for secure encrypted communication),” said Bilogorskiy. “When user opens [the] Huffington Post web site, several scripts are executed from the advertising network to show ads. One of these scripts loads an external function through HTTPS from Google AppSpot, and this function loads another redirect through HTTPS. And only then the user receives redirects to malware payload. It makes it harder to analyze the origin of attack because even if a security company has the recorded network traffic it is impossible to decrypt and reconstruct the origin of the malware redirect.”

The malicious scripts were inserted alongside many different ads from advertising.com.

The exploit kit used in the attack is suspected by Cyphort to be the Neutrino kit, but may be the Sweet Orange kit. The group behind the attack is believed to have compromised or have access to multiple .pl domains in Poland, and is making redirects via sub-domains for these sites, he added. In addition to the advertising.com advertising network, Cyphort has also seen “adtech.de” redirecting to these infected Polish sites. Both of these platforms are owned by AOL.

“The ad networks get millions of ads submitted to them and any one of those could be malvertising,” Bilogorskiy said. “They try to detect and filter malicious ads from their systems, but it is challenging. The potential damage is high, as ad networks have a very deep reach and can infect many people quickly.”

Advertisement. Scroll to continue reading.

“The attackers are accustomed to tricking the networks by making “armored” malverts, where they use various techniques to appear legitimate to the analysts, but infect the users nonetheless,” he continued. “For instance they will enable the malicious payload after a delay of several days after the ad is approved. Another way is to only serve the exploits to every 10th user, or every 20th user who views the ad. Verifying user agents and IP addresses also is a common strategy to hide from analysts and automated malware detection.  The attackers can implement various targeting strategies for malware infection, which appear normal in the context of advertisement, but in effect evade certain security detection.”

Bilogorskiy recommended website owners scan all files on their site for malware, injections and redirects, and provide an easily identifiable contact point so that users can report malware infections to them. 

Written By

Marketing professional with a background in journalism and a focus on IT security.

Click to comment

Trending

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join the session as we discuss the challenges and best practices for cybersecurity leaders managing cloud identities.

Register

SecurityWeek’s Ransomware Resilience and Recovery Summit helps businesses to plan, prepare, and recover from a ransomware incident.

Register

Expert Insights

Related Content

Cybercrime

The changing nature of what we still generally call ransomware will continue through 2023, driven by three primary conditions.

Cybercrime

A recently disclosed vBulletin vulnerability, which had a zero-day status for roughly two days last week, was exploited in a hacker attack targeting the...

Malware & Threats

The NSA and FBI warn that a Chinese state-sponsored APT called BlackTech is hacking into network edge devices and using firmware implants to silently...

Application Security

Virtualization technology giant VMware on Tuesday shipped urgent updates to fix a trio of security problems in multiple software products, including a virtual machine...

Cyberwarfare

An engineer recruited by intelligence services reportedly used a water pump to deliver Stuxnet, which reportedly cost $1-2 billion to develop.

Malware & Threats

Unpatched and unprotected VMware ESXi servers worldwide have been targeted in a ransomware attack exploiting a vulnerability patched in 2021.

Malware & Threats

Apple’s cat-and-mouse struggles with zero-day exploits on its flagship iOS platform is showing no signs of slowing down.

Cybercrime

No one combatting cybercrime knows everything, but everyone in the battle has some intelligence to contribute to the larger knowledge base.