A cybersecurity security firm (Cyphort) recently reported that the AOL Ad Network was responsible for spreading malware in the form of malicious advertisements found along the sidebars of popular websites including the Huffington Post, Game Zone, Weather Bug and others. The AOL Ad Network, which supports ad platforms in both the United States and Germany, reports serving nearly 200 million user impressions every month. In fact, 90% of U.S. Internet users are exposed to the AOL Ad Network every day.
Malvertising, as this form of malware has come to be known, has been reported on this blog before and the technique seems to be increasingly popular with hackers around the world as it circumvents the due diligence most Internet users practice in this age of constant malware threats. Users exposed to malvertising have no idea they have been exposed and have absolutely no way to protect themselves from this new type of threat.
The technique is extremely effective because using a process of automatic redirection, a user can be sent through six, seven or eight different websites before landing on a malicious page designed to exploit flaws in popular Web browsers and plugins such as Adobe Flash and Java.
The threat was first discovered on December 31st when malicious ads were detected on the Canadian version of Huffington Post, but by January 3rd the number of sites affected by this attack had increased to include: HuffingtonPost.ca HuffingtonPost.com FHM.com Gamezone.com Weatherbug.com LAWeekly.com GoodDrama.net MojoSavings.com TheIndyChannel.com Other sites, including domains owned by Yahoo!, Comcast and Weather.com were also affected. In all, it is estimated that over 1.5 billion people were put at risk during this malvertising campaign.
Although the malicious payload delivered by the hackers could be anything, it appears that most victims of this attack ended up with the Kovter Trojan being remotely installed on the infected machine. This Trojan, which is a form of ransomware, takes over the PC by disabling the keyboard and mouse while displaying a screen claiming that the computer has been taken over by law enforcement for viewing child pornography. Victims are then asked to purchase a prepaid credit card from a specific vendor in the amount of $300 to “unlock” the PC. Fortunately for victims of Kovter, it is not true ransomware in the sense that personal files and folders are not encrypted. In other words, rebooting the computer in Safe Mode and running an antivirus tool is usually enough to remove Kovter from the PC (unlike more sophisticated ransomware versions that require a decryption key).
While the AOL Ad Network has taken steps to remove these malicious ads from its platform, there is no telling when hackers may once again initiate a massive malvertising campaign.
The only way to protect your PC from these threats is to ensure that all operating system and plugin updates are installed and that a quality antivirus solution is running at all times. Usually, this is enough to prevent exploitation when your machine is automatically redirected to malicious sites via a corrupt advertising network.