GameZone, Huffington Post hit by malvertising attack

Criminals hijacked ads on AOL's Advertising.com network

ransom note
Credit: Keith Hall via Flickr

Criminals hijacked ads on AOL's Advertising.com network and served drive-by malware downloads to visitors to the Huffington Post, LA Weekly, GameZone, and other sites last week, according to a report from Santa Clara-based security company Cyphort Inc.

Cyphort reported the problem to AOL on January 3 and the issue was fixed within two days, said Nick Bilogorskiy, Cyphort's director of security research.

"They cleaned it up and for now it seems okay," he said. "But it could reoccur and we're monitoring for that."

What happened was that cybercriminals were able to modify or replace the script that was supposed to deliver advertising to online publications.

Other sites hit included Mandatory.com, LA Weekly, FHM, Good Drama, Soap Central, WeatherBug, Mojo Savings, Buzzlie.com, RTV6, and WMUR9.

"The advertising network was launching a script that was malicious," Bilogorskiy said.

That script, instead of serving a legitimate ad, pulled in another site instead, which in turned pulled in another site and -- half a dozen more hops later -- landed on a site owned by the Polish government.

That site, in turn, served a Flash exploit and a Visual Basic script that downloaded the Kovter ransomware. Kovter blocks access to a user's keyboard and mouse until the user pays a ransom of around $300.

"We are reaching out to Poland to get that cleaned up," said Bilogorskiy.

The number of hops was unusual, he added, as was the fact that the attackers used a mix of HTTP and HTTPS redirects to hide the servers used. The HTTPS redirector was hosted on the Google App Engine.

The wide reach of the platform, combined with the fact that users get infections from sites that they otherwise know and trust, makes this attack particularly nasty.

AOL's advertising networks sees 199 million unique visitors per month, reaching 89 percent of the U.S. Internet audience.

There are several ways that the malicious code could have gotten on AOL's network, Bilogorskiy said.

One possibility is that AOL itself was breached. Another is that the hackers were able to by pass the filters that AOL uses to monitor ads on their network.

"This is a big problem for every advertising network," he said.

For example, in the fall, malvertising was found on several ad networks, including Rubicon, Yahoo Advertising's Right Media, and OpenX. In that campaign, which ran in September and October, criminals used the compromised ad network to deliver drive-by downloads of the Cryptowall ransomware.

A similar attack in October successfully targeted YouTube ads. According to security researchers at Trend Micro, that campaign also involved a Polish government website and delivered the Kovter ransomware.

Bilogorskiy said he expects to see the amount of malvertising to "increase significantly" in 2015.

"There are millions of ads being served and there are multiple ways that hackers can modify their ads to bypass detection," he said.

For example, a malicious ad might seem legitimate at first, but only manifest as evil several days later, or only once for every 20 or 30 loads.

That means that advertising networks need to keep a close eye on their ads for as long as they are running.

"And it will reduce their performance and hurt their ability to scale," he added. "They know they have this problem and don't have a solution yet."

Meanwhile, the only way for users to protect themselves is to keep their antivirus up-to-date and hope that the hackers aren't using a zero-day exploit.

This story, "GameZone, Huffington Post hit by malvertising attack" was originally published by CSO.

To comment on this article and other Network World content, visit our Facebook page or our Twitter stream.
Must read: Hidden Cause of Slow Internet and how to fix it
Notice to our Readers
We're now using social media to take your comments and feedback. Learn more about this here.