AOL Advertising Network Abused to Distribute Malware

Security researchers have uncovered a malvertising campaign used to distribute malware to visitors of The Huffington Post website, as well as several other sites, through malicious advertisements served over the AOL advertising network.

At the end of last year, Cyphort Labs, security firm specialized in detecting malware threats, came across some malicious advertisements that were being served on the United States and Canadian versions of the popular news website The Huffington Post.

The malicious advertisements eventually redirected visitors of the news website to other websites hosting exploit kits, in order to attack victims’ computers and install malware.

Researchers discovered that the malvertising campaign originates with ads being served by AOL’s Advertising.com network. Once clicked, users are redirected through a series of redirects, some of which used HTTPS encrypted connections, to a page that served either the Neutrino Exploit Kit or the Sweet Orange Exploit Kit.

"Interestingly attackers used a mix of HTTP and HTTPS redirects to hide the servers involved in this attack," the Cyphort analysis of the attack states. "The HTTPS redirector is hosted on a Google App Engine page. This makes analysis based on traffic PCAPs more difficult, because HTTPS traffic is encrypted."

The exploit kit served both Adobe Flash and VB script exploits – a common target for cybercriminals due to the wide range of vulnerabilities found in it – and then downloaded the Kovter trojan, which is actually a Ransomware that locks the infected computer's screen from access by the user.

"The purpose of this attack is to install a malicious binary – a new variant of a Trojan, from the Kovter family. (SHA1: eec439cb201d12d7befe5482e8a36eeb52206d6f)," the researchers say. "The malware was downloaded from indus.qgettingrinchwithebooks.babia-gora.pl:8080 , it was a un-encrypted binary. After execution it connects to a16-kite.pw for CNC. It executes through injecting its payload to a spawned svchost.exe process."

The websites hosting the exploit kit were ".pl" domains, the country code top-level domain for Poland. Researchers also noticed that a variety of other websites, including weatherbug.com, mandatory.com and houstonpress.com, were also distributing the malware via malicious advertisements, with the common link being the "adtech.de" and "advertising.com" advertising networks — both ad platforms owned by AOL.

AOL.com was notified of the issue on Saturday. A spokesman confirmed Cyphort’s findings and said the company took the necessary steps to fix the problem. AOL.com said it has stopped malicious software being served by its advertising platforms after being alerted by a security company.

"AOL is committed to bringing new levels of transparency to the advertising process, ensuring ads uphold quality standards and create positive consumer experiences," the spokesman wrote.