Researchers have detected a malvertising campaign running on a pair of sites owned by Huffington Post that is using ads distributed through an AOL ad network. The attack is sending victims through a series of redirects that eventually brings them to a landing page that is running an exploit kit.
The campaign emerged first on huffingtonpost.ca on Dec. 31 and researchers from security firm Cyphort soon found it on the main Huffington Post site in the United States as well. The researchers discovered that the campaign originates with ads being served by AOL’s Advertising.com network and once a user clicked on a malicious ad, she was redirected through a number of hops–some using HTTPS–until she hit a landing page. That page contained an exploit kit that was serving both Flash and VB script exploits.
The landing pages appear to be compromised Polish sites.
“Interestingly attackers used a mix of HTTP and HTTPS redirects to hide the servers involved in this attack. The HTTPS redirector is hosted on a Google App Engine page. This makes analysis based on traffic PCAPs more difficult, because HTTPS traffic is encrypted,” the Cyphort analysis of the attack says. AOL has taken steps to shut down the campaign.
“It appears that this group has compromised and/or has access to multiple .pl domains in Poland, and is making redirects via sub-domains for these sites (nysa.pl, klodzko.pl, etc).”
“The purpose of this attack is to install a malicious binary – a new variant of a Trojan, from the Kovter family. (SHA1: eec439cb201d12d7befe5482e8a36eeb52206d6f). The malware was downloaded from indus.qgettingrinchwithebooks.babia-gora.pl:8080 , it was a un-encrypted binary. After execution it connects to a16-kite.pw for CNC. It executes through injecting its payload to a spawned svchost.exe process,” the researchers say.
Cyphort’s researchers got in touch with the abuse team at AOL and they attack stopped soon after.
“We have escalated this issue to AOL security team (advertising.com infection). They are investigating. We have not talked to Huffington Post or dozens of other infected websites, yet. Shortly after we notified AOL , the attack has discontinued,” Nick Bilogorskiy, a Cyphort researcher, said in a statement.
Image from Flickr photos of Stuart Rankin.