A virulent malvertising campaign has been discovered using AOL's advertising network to strike legitimate websites.
Originally reported by the security team at Cyphort Labs, the malvertising campaign was first discovered on The Huffington Post's Canadian website domain. However, several days later, the security experts also detected the scheme running on the news publication's US website, among others. Websites reportedly hit by malvertising included soapcentral.com, mojosavings.com, laweekly.com and houstonpress.com.
The Huffington Post service alone has over 51 million monthly visitors. It is estimated that up to 1.5 billion users may have been exposed in total through the full network of impacted websites.
Security firm Malwarebytes has also been tracking the campaign. Other domains appear to have succumbed to malvertising, as shown below.
The running thread? AOL's advertising network, advertising.com.
The malvertising campaign works in a number of stages. In the case of huffingtonpost.ca, the website was hosting an advertisement funneled through AOL's network. The advert then redirected users through multiple hoops, eventually reaching a malicious page which served the user with an exploit kit containing a Flash exploit and a VB script. The script then downloaded a Kovter Trojan executable which would land in %temp%.
The servers used in this attack were hidden using a mix of HTTP and HTTPS redirects. Director of Security Research at Cyphort Nick Bilogorskiy explained:
"Attackers used a mix of HTTP and HTTPS redirects to hide the servers involved in this attack. The HTTPS redirector is hosted on a Google App Engine page. This makes analysis based on traffic PCAPs more difficult, because HTTPS traffic is encrypted."
Cyphort Labs suspects the exploit kit used within the malvertising campaign was NeutrinoEK, but there is also similar traits within the Sweet Orange kit.
In response to the findings, AOL said the company is "committed to bringing new levels of transparency to the advertising process, ensuring ads uphold quality standards and create positive consumer experiences."
Jerome Segura, Senior Security Researcher at Malwarebytes commented:
"Malvertising is a huge issue that affects a wide range of people. End users, of course, but also advertisers and publishers who have to fight to defend their legitimacy. Cyber criminals will likely continue to hijack ad networks with malicious code and pocket the dividends from hundreds of thousands of successful infections.
This particular campaign is likely to migrate to other controllers or evolve into something else since it is now in the public domain and affected parties are cleaning up and securing their systems."
Both Cyphort Labs and Malwarebytes will continue tracking the campaign.
Read on: In the world of security