Security company Cyphort has detected a malvertising attack that hit multiple websites, including Huffington Post and LA Weekly.
The culprit was an AOL ad network. According to Cyphort, the firm first detected the infection on the Canadian version of Huffington Post (huffingtonpost.ca) Dec. 31, and then on Huffingtonpost.com on Jan. 3. Cyphort notified AOL of the situation, and the attacks stopped Jan. 5.
“In this case all the malicious ads came via advertising networks that belong to AOL,” explained Nick Bilogorskiy, director of security research at Cyphort. “We don’t know exactly how it got there. When we consulted our logs we… [saw] the issue started in late October. So, one possibility is that AOL itself has been breached. Another possibility is that attackers are submitting the malicious ads and have AOL approving these ads for use in the ad network.”
According to Cyphort, the ad redirected users through multiple hops. The landing page served an exploit kit that hit victims with a Flash exploit and a VB script. The script in turn downloaded the Kovter Trojan executable to %temp%. The malvertising was served from advertising.com, which has been linked to attacks on several sites during the past several days.
“Of particular interest in this attack is the unique use of redirection via HTTPS (Hypertext Transfer Protocol Secure, a communications protocol for secure encrypted communication),” said Bilogorskiy. “When user opens [the] Huffington Post web site, several scripts are executed from the advertising network to show ads. One of these scripts loads an external function through HTTPS from Google AppSpot, and this function loads another redirect through HTTPS. And only then the user receives redirects to malware payload. It makes it harder to analyze the origin of attack because even if a security company has the recorded network traffic it is impossible to decrypt and reconstruct the origin of the malware redirect.”
The malicious scripts were inserted alongside many different ads from advertising.com.
The exploit kit used in the attack is suspected by Cyphort to be the Neutrino kit, but may be the Sweet Orange kit. The group behind the attack is believed to have compromised or have access to multiple .pl domains in Poland, and is making redirects via sub-domains for these sites, he added. In addition to the advertising.com advertising network, Cyphort has also seen “adtech.de” redirecting to these infected Polish sites. Both of these platforms are owned by AOL.
“The ad networks get millions of ads submitted to them and any one of those could be malvertising,” Bilogorskiy said. “They try to detect and filter malicious ads from their systems, but it is challenging. The potential damage is high, as ad networks have a very deep reach and can infect many people quickly.”
“The attackers are accustomed to tricking the networks by making “armored” malverts, where they use various techniques to appear legitimate to the analysts, but infect the users nonetheless,” he continued. “For instance they will enable the malicious payload after a delay of several days after the ad is approved. Another way is to only serve the exploits to every 10th user, or every 20th user who views the ad. Verifying user agents and IP addresses also is a common strategy to hide from analysts and automated malware detection. The attackers can implement various targeting strategies for malware infection, which appear normal in the context of advertisement, but in effect evade certain security detection.”
Bilogorskiy recommended website owners scan all files on their site for malware, injections and redirects, and provide an easily identifiable contact point so that users can report malware infections to them.