SSL Redirect Malvertising Campaign Exposes 10 Million to Angler EK

Written by

Security researchers are warning that a malvertising campaign first spotted over a fortnight ago has expanded, with over 10 million users exposed to the Angler exploit kit as a result.

The attack was first discovered by Cyphort Labs earlier this month. It is different from the plethora of other campaigns by virtue of its using multiple SSL redirectors designed to encrypt traffic and make it harder for white hats to follow the redirection path.

The SSL redirector in question is affecting ad-serving platform e-planning.net.

“In the last 10 days, Cyphort Labs found many more infected domains – they are listed below. Please refrain [from] going to these sites as they are dangerous,” Cyphort Labs security research director, Nick Bilogorskiy, wrote in a blog post

“We have notified e-planning.net about this issue and they are actively working to resolve it. At least 10 million people have visited these websites and were potentially exposed to the Angler exploit kit in the last 10 days according to our estimates and data from SimilarWeb.”

As before, the sites affected span the globe, from Vietnamese tech site techz.vn – which has 3.7m visits per month – to Japanese news site hochi.co.jp, which boasts 1.8m.

Sites in Italy, Greece, the US and Sweden – among others – are also affected.

The original malvertising campaign used AOL’s ADTECH.DE platform to spread, but switched to e-planning on 16 July, according to Cyphort.

The Angler exploit kit has made several appearances in malvertising campaigns so far this year.

It was spotted by Websense in June, exploiting a new Adobe zero-day vulnerability in order to drop the trojan Bunitu onto victims’ machines.

Angler EK has also been used prolifically to infect hosts with infamous ransomware Cryptowall 3.0 – again exploiting an Adobe flaw.

In fact, the popularity of exploit kits like Angler and Nuclear – which are readily available on darknet sites – makes it all the more important for IT admins to patch Adobe flaws as soon as a security update is released.

What’s hot on Infosecurity Magazine?