Connect with us

Hi, what are you looking for?


Malware & Threats

Malvertising Attack Served Using AOL Ad Network: Cyphort

Security company Cyphort has detected a malvertising attack that hit multiple websites, including Huffington Post and LA Weekly.

Security company Cyphort has detected a malvertising attack that hit multiple websites, including Huffington Post and LA Weekly.

The culprit was an AOL ad network. According to Cyphort, the firm first detected the infection on the Canadian version of Huffington Post ( Dec. 31, and then on on Jan. 3. Cyphort notified AOL of the situation, and the attacks stopped Jan. 5.

“In this case all the malicious ads came via advertising networks that belong to AOL,” explained Nick Bilogorskiy, director of security research at Cyphort. “We don’t know exactly how it got there. When we consulted our logs we… [saw] the issue started in late October. So, one possibility is that AOL itself has been breached. Another possibility is that attackers are submitting the malicious ads and have AOL approving these ads for use in the ad network.”

According to Cyphort, the ad redirected users through multiple hops. The landing page served an exploit kit that hit victims with a Flash exploit and a VB script. The script in turn downloaded the Kovter Trojan executable to %temp%. The malvertising was served from, which has been linked to attacks on several sites during the past several days.

“Of particular interest in this attack is the unique use of redirection via HTTPS (Hypertext Transfer Protocol Secure, a communications protocol for secure encrypted communication),” said Bilogorskiy. “When user opens [the] Huffington Post web site, several scripts are executed from the advertising network to show ads. One of these scripts loads an external function through HTTPS from Google AppSpot, and this function loads another redirect through HTTPS. And only then the user receives redirects to malware payload. It makes it harder to analyze the origin of attack because even if a security company has the recorded network traffic it is impossible to decrypt and reconstruct the origin of the malware redirect.”

The malicious scripts were inserted alongside many different ads from

The exploit kit used in the attack is suspected by Cyphort to be the Neutrino kit, but may be the Sweet Orange kit. The group behind the attack is believed to have compromised or have access to multiple .pl domains in Poland, and is making redirects via sub-domains for these sites, he added. In addition to the advertising network, Cyphort has also seen “” redirecting to these infected Polish sites. Both of these platforms are owned by AOL.

Advertisement. Scroll to continue reading.

“The ad networks get millions of ads submitted to them and any one of those could be malvertising,” Bilogorskiy said. “They try to detect and filter malicious ads from their systems, but it is challenging. The potential damage is high, as ad networks have a very deep reach and can infect many people quickly.”

“The attackers are accustomed to tricking the networks by making “armored” malverts, where they use various techniques to appear legitimate to the analysts, but infect the users nonetheless,” he continued. “For instance they will enable the malicious payload after a delay of several days after the ad is approved. Another way is to only serve the exploits to every 10th user, or every 20th user who views the ad. Verifying user agents and IP addresses also is a common strategy to hide from analysts and automated malware detection.  The attackers can implement various targeting strategies for malware infection, which appear normal in the context of advertisement, but in effect evade certain security detection.”

Bilogorskiy recommended website owners scan all files on their site for malware, injections and redirects, and provide an easily identifiable contact point so that users can report malware infections to them. 

Written By

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

SecurityWeek’s Threat Detection and Incident Response Summit brings together security practitioners from around the world to share war stories on breaches, APT attacks and threat intelligence.


Securityweek’s CISO Forum will address issues and challenges that are top of mind for today’s security leaders and what the future looks like as chief defenders of the enterprise.


Expert Insights

Related Content


The changing nature of what we still generally call ransomware will continue through 2023, driven by three primary conditions.


A recently disclosed vBulletin vulnerability, which had a zero-day status for roughly two days last week, was exploited in a hacker attack targeting the...


No one combatting cybercrime knows everything, but everyone in the battle has some intelligence to contribute to the larger knowledge base.

Malware & Threats

Threat actors are increasingly abusing Microsoft OneNote documents to deliver malware in both targeted and spray-and-pray campaigns.

Malware & Threats

Unpatched and unprotected VMware ESXi servers worldwide have been targeted in a ransomware attack exploiting a vulnerability patched in 2021.

Malware & Threats

A vulnerability affecting IBM’s Aspera Faspex file transfer solution, tracked as CVE-2022-47986, has been exploited in attacks.


The recent ransomware attack targeting Rackspace was conducted by a cybercrime group named Play using a new exploitation method, the cloud company revealed this...

Application Security

Virtualization technology giant VMware on Tuesday shipped urgent updates to fix a trio of security problems in multiple software products, including a virtual machine...