Ransomware is being distributed to visitors of The Huffington Post website, as well as several other sites, via malicious advertisements served over the AOL advertising network, according to researchers with Cyphort Labs.
In a Tuesday email correspondence, Nick Bilogorskiy, director of security research with Cyphort, told SCMagazine.com that the threat is a drive-by attack, meaning users are infected if they simply navigate to the affected site and their browsers or plugins are vulnerable.
“No interaction is necessary,” Bilogorskiy said.
Cyphort Labs researchers noticed at the end of last year that the Canadian Huffington Post website was hosting an advertisement from advertising[dot]com, an AOL advertising network, according to a Monday post.
The advertisement ultimately redirected visitors to a landing page serving up either the Neutrino Exploit Kit or the Sweet Orange Exploit Kit, Bilogorskiy said. The exploit kit served a Flash exploit and a VB script, and then downloaded the Kovter trojan, which is ransomware that locks the infected machine's screen from access by the user.
“Kovter creates a full-screen window, which displays the ransom note and blocks keyboard and mouse input,” Bilogorskiy said. “One special trick of Kovter is that it searches the web browser history of an infected machine, to spot explicit websites such as adult content [that was] visited by the user before. Displaying these links incorporated in the ransom note, the ransom demand becomes more realistic.”
Recent Kovter variants have demanded between $300 and $500, and the lock screen is customized depending on the country of the user, Bilogorskiy said, explaining that supported countries include U.S., Germany, France, Spain, Great Britain, Italy, the Netherlands and Turkey.
Cyphort Labs later learned that huffingtonpost[dot]com and a variety of other sites were also distributing the malware via malicious advertisements, with the common link being the advertising[dot]com or adtech[dot]de advertising networks – both of which are owned by AOL.
The attack ceased shortly after Cyphort Labs notified the AOL security team of the issue, Bilogorskiy said.
“When we consulted our logs we have seen the issue started in late October,” Bilogorskiy said. “So, one possibility is that AOL itself has been breached. Another possibility is that attackers are submitting the malicious ads and have AOL approving these ads for use in the ad network.”
Bilogorskiy said that advertising networks get millions of submissions and it is challenging to filter every single malicious advertisement out of the system. “The attackers are accustomed to tricking the networks by making “armored” malverts, where they use various techniques to appear legitimate to the analysts, but infect the users nonetheless,” Bilogorskiy said.
He explained, “For instance they will enable the malicious payload after a delay of several days after the ad is approved. Another way is to only serve the exploits to every 10th user, or every 20th user who views the ad. Verifying user agents and IP addresses also is a common strategy to hide from analysts and automated malware detection.”
UPDATE: An AOL spokesperson told SCMagazine.com on Tuesday that AOL was made aware of the problem early on and quickly addressed the issue. “AOL is committed to bringing new levels of transparency to the advertising process, ensuring ads uphold quality standards and create positive consumer experiences,” the spokesperson said.