The Huffington Post, Yahoo News, AOL, TMZ and many others are being hit with malvertising, in all reaching a total of 1.5 billion web visitors.
The infection is making use of the legitimate AOL ad network to spread havoc in the form of malicious web advertisements. And users don’t even need to click on these to become infected – a web page simply displaying a malicious ad will infect users with the Neutrino Exploit Kit.
“Malvertising is a huge issue that affects a wide range of people: end users, of course, but also advertisers and publishers who have to fight to defend their legitimacy,” said Jerome Segura, senior security researcher at Malwarebytes Labs, in a blog. “Cyber-criminals will likely continue to hijack ad networks with malicious code and pocket the dividends from hundreds of thousands of successful infections. This particular campaign is likely to migrate to other controllers or evolve into something else since it is now in the public domain and affected parties are cleaning up and securing their systems.”
Cyphort Labs originally detected an infection on HuffingtonPost.com and HuffingtonPost.ca ad network. Attackers used a mix of HTTP and HTTPS redirects to hide the servers involved in this attack; the redirector is hosted on a Google App Engine page.
It appears that the group behind the campaign has compromised and/or has access to multiple .pl domains in Poland, and is making redirects via sub-domains for these sites. Both advertising.com and adtech.de, which are part of the AOL Platforms ad network, redirect to these infected Polish sites.
The potential impact is huge. “AOL Platforms has 199 million unique visitors per month,” explained Nick Bilogorsky, director of security research at Cyphort, in an analysis. “It reaches 88.8% of the US internet audience.”
The situation bears out a prediction from Blue Coat at the end of 2014, that major media properties will increasingly display ads from partner networks that host malware.
And indeed, others agree that malvertising is expected to continue to be an emerging trend in 2015.
“We believe that this trend presents a significant cybersecurity challenge in 2015,” said Bilogorsky. “Website owners should ask questions about their malvertising protection before signing up with ads syndication networks. More importantly, website owners should deploy infection monitoring and detection solutions to protect their site visitors from malware infection.”
Cyphort has notified the AOL abuse and security team, which confirmed that it is investigating the issue.