The malvertising campaign is serving CryptoWall 2.0, researchers at Proofpoint revealed.
The malvertising campaign is serving CryptoWall 2.0, researchers at Proofpoint revealed.

Web pages managed by Yahoo, AOL, The Atlantic, and Match.com have been detected as hosting malicious ads, which may have put site visitors at risk of downloading ransomware, researchers warned.

The segment of website visitors impacted by the malvertising campaign, would have been those running vulnerable versions of Adobe Flash Player. According to Proofpoint, the security firm that detected the campaign, “the malvertisements silently ‘pull in' malicious exploits from the FlashPack Exploit Kit,” a Wednesday blog post said.

Without so much as clicking the poisoned ads, Flash users visiting impacted sites may have installed CryptoWall 2.0.

“Similar to the behavior of other ‘ransomware,' CryptoWall then encrypts the end-users' hard drive and will not allow access until the victim pays a fee over the internet for the decryption key,” the blog post revealed.

Proofpoint determined that, over the month the campaign was active beginning in late September, attackers may have collected at least $750,000 in ransoms accepted as bitcoin. The firm named more than 20 popular websites in all that were affected by the malverstising campaign, including sites managed by The Sydney Morning Herald, Time Out magazine, and Weatherzone Australia. Up to 3 million visitors per day could have been exposed to the campaign, Proofpoint said.

The company notified affected parties of the threat, including ad networks OpenX, Rubicon Project and Yahoo Ad Exchange (formerly Right Media), which were unknowingly delivering the poisoned ads to popular sites. As of Saturday, the security issue was addressed by ad networks.

In a Thursday interview with SCMagazine.com, Wayne Huang, vice president of engineering at Proofpoint, who authored the blog post, spoke more to attackers' use of the FlashPack exploit kit to deliver ransomware.

“This exploit kit is mostly used in malvertising which makes it special, in my opinion,” Huang said. “The whole design of this exploit kit is based on this [attack method]. It redirects traffic using Flash, which is not often seen in exploit kits, and the exploitation is also through Flash.”

Huang added that attackers may have opted to spread ransomware through malvertising because the ad-poisoning activity is well-suited for such scams.

“These attackers did not want to spread their ransomware outside of their [targeted] region in order to minimize their visibility – and the best way to do that was through malvertising,” he explained. “The ad networks always let you select the region that you want to serve your ad in. It's built in, and it just happens to be a feature that [attackers] really need.”

Last month, researchers at Barracuda Labs also detected that CryptoWall ransomware was being delivered as part a widespread malvertising campaign. Drive-by downloads were detected as coming from hindustantimes[.]com, bollywoodhungama[.]com, one[.]co[.],il, codingforums[.]com, and mawdoo[.]com, the firm said. The malware was delivered via the Zedo ad network.