LA Weekly and Huffington Post Hit by Malvertising Attacks

Security vendor Cyphort has identified a malvertising campaign which hit a couple of websites including LA Weekly and Huffington Post.

Cyphort first detected the infection, which was an AOL advertisement network, on the Canadian edition of Huffington Post (huffingtonpost.ca) on 31st December, 2014 and later on Huffingtonpost.com on 3rd January, 2015. Cyphort informed AOL about the campaign and the attacks stopped on 5th January, 2015.

Securityweek.com published news on 6th January, 2015 quoting Nick Bilogoriskiy, Director of Security Research of Cyphort, as saying "In this attack all the tainted ads came through advertising networks belonging to AOL and we do not know exactly how it went that far. When we checked our logs, we found that the attack started somewhere in late October (2014) and so the odds is that AOL itself has been breached or may be frausters are submitting the maligned ads and got approval of AOL of these ads for use in the advertising network."

Cyphort says that the advertisement redirected users via multiple hops.

Scmagazine.com published a report on 6th January, 2015 quoting Bilogoriskiy as saying "However it ultimately redirected visitors to a landing page serving either Sweet Orange Exploit kit or Neutrino Exploit Kit."

The exploit kit served a Flash exploit and a Visual Basic script and downloaded the infamous Kovter Trojan which is a ransomware that locks the screen of the infected machine from access by the user.

Bilogorskiy added: 'Kovter creates a full-screen window which displays the ransom note and blocks the input of keyboard and mouse. One special trick of Kovter is that it searches the history of web browser of an infected machine to identify explicit websites like adult content (that was) visited by the visitor before. The ransom demand looks more realistic as the ransom note displays these links.'

Advertising platforms try to thwart malicious activity by selecting ads before they are publicized but there are many tricks employed to avoid the checks.

Attackers will submit advertisements to a marketing platform but wait for few days before enabling the tarnished payload until the advertisement has been approved. Pcadvisor.co.uk reported on 7th January, 2015 quoting Bilogorskiy as saying "Sometimes malicious advertisements will only attack every 10th user making it more thorny to detect and remove."

» SPAMfighter News - 1/13/2015