Huffington Post, Other Popular Sites Contain Malware Advertising

A cybersecurity security firm (Cyphort) recently reported that the AOL Ad Network was responsible for spreading malware in the form of malicious advertisements found along the sidebars of popular websites including the Huffington Post, Game Zone, Weather Bug and others. The AOL Ad Network, which supports ad platforms in both the United States and Germany, reports serving nearly 200 million user impressions every month. In fact, 90% of U.S. Internet users are exposed to the AOL Ad Network every day.

Malvertising, as this form of malware has come to be known, has been reported on this blog before and the technique seems to be increasingly popular with hackers around the world as it circumvents the due diligence most Internet users practice in this age of constant malware threats. Users exposed to malvertising have no idea they have been exposed and have absolutely no way to protect themselves from this new type of threat.

The technique is extremely effective because using a process of automatic redirection, a user can be sent through six, seven or eight different websites before landing on a malicious page designed to exploit flaws in popular Web browsers and plugins such as Adobe Flash and Java.

The threat was first discovered on December 31st when malicious ads were detected on the Canadian version of Huffington Post, but by January 3rd the number of sites affected by this attack had increased to include: HuffingtonPost.ca HuffingtonPost.com FHM.com Gamezone.com Weatherbug.com LAWeekly.com GoodDrama.net MojoSavings.com TheIndyChannel.com Other sites, including domains owned by Yahoo!, Comcast and Weather.com were also affected. In all, it is estimated that over 1.5 billion people were put at risk during this malvertising campaign.

aol ad network malvertising

Although the malicious payload delivered by the hackers could be anything, it appears that most victims of this attack ended up with the Kovter Trojan being remotely installed on the infected machine. This Trojan, which is a form of ransomware, takes over the PC by disabling the keyboard and mouse while displaying a screen claiming that the computer has been taken over by law enforcement for viewing child pornography. Victims are then asked to purchase a prepaid credit card from a specific vendor in the amount of $300 to “unlock” the PC. Fortunately for victims of Kovter, it is not true ransomware in the sense that personal files and folders are not encrypted. In other words, rebooting the computer in Safe Mode and running an antivirus tool is usually enough to remove Kovter from the PC (unlike more sophisticated ransomware versions that require a decryption key).

While the AOL Ad Network has taken steps to remove these malicious ads from its platform, there is no telling when hackers may once again initiate a massive malvertising campaign.

The only way to protect your PC from these threats is to ensure that all operating system and plugin updates are installed and that a quality antivirus solution is running at all times. Usually, this is enough to prevent exploitation when your machine is automatically redirected to malicious sites via a corrupt advertising network.

▼ Show Discussion

About the author:

Karolis Liucveikis

Karolis Liucveikis - experienced software engineer, passionate about behavioral analysis of malicious apps.

Author and general operator of PCrisk's "Removal Guides" section. Co-researcher working alongside Tomas to discover the latest threats and global trends in the cyber security world. Karolis has experience of over five years working in this branch. He attended KTU University and graduated with a degree in Software Development in 2017. Extremely passionate about technical aspects and behavior of various malicious applications. Contact Karolis Liucveikis.

PCrisk security portal is brought by a company RCS LT. Joined forces of security researchers help educate computer users about the latest online security threats. More information about the company RCS LT.

Our malware removal guides are free. However, if you want to support us you can send us a donation.

About PCrisk

PCrisk is a cyber security portal, informing Internet users about the latest digital threats. Our content is provided by security experts and professional malware researchers. Read more about us.

Malware activity

Global malware activity level today:

Medium threat activity

Increased attack rate of infections detected within the last 24 hours.

Virus and malware removal

This page provides information on how to avoid infections by malware or viruses and is useful if your system suffers from common spyware and malware attacks.

Learn about malware removal