SSL Malvertising Campaign Continues (UPDATED)

Posted: August 13, 2015 by Jérôme Segura
Last updated: March 30, 2016

Update 08/14: The campaign has moved to another advertiser (AOL) and new Azure domain:

Malvertising URL:

imp.bid.ace.advertising.com/{redacted}pmcpmprice=0.545/{redacted}dref=http://www.ebay.com/sch/i.html?_nkw=jazzy+wheelchair+battery&_pgn=3&_skc=100&rt=nc

First redirection (Azure website):

v5tr34-a09.azurewebsites.net/?=a09vv5vtrkp

Second redirection:

mbiscotti.com/?Xz29TuVbablQc

Angler exploit kit:

abgzdbergzr.jeppe.iemooentypo.com/{redacted}
abgzdbergzr.le9.anguoanti-malware.net/abgzdbergzr/{redacted}

Our telemetry captured this malvertising on eBay.com and the cost per thousand impressions (CPM) for this ad was $0.545. Visitors that were served that ad were redirected to the Angler exploit, known for dropping ransomware and ad fraud malware.

– – Original story —

The actors behind the recent Yahoo! malvertising attack are still very much active and able to infect people who browse popular websites.

We have been tracking this campaign and noticed that is has recently moved to a new ad network used by many top publishers.

weather.com 121M visits per month
drudgereport.com 61.8M visits per month
wunderground.com 49.9M visits per month
findagrave.com 6M visits per month
webmaila.juno.com 3.6M visits per month
my.netzero.net 3.2M visits per month
sltrib.com 1.8M visits per month

Stats according to SimilarWeb.com

The malvertising is loaded via AdSpirit.de and includes a redirection to an Azure website. Note how both URLs are using HTTPS encryption, making it harder to detect the malicious traffic at the network layer.

Redirection chain

Publisher’s website
https://pub.adspirit.de/adframe.php?pid=[redacted]
https://pr2-35s.azurewebsites.net/?=pr2-35s-981ef52345
abcmenorca.net/?xvQtdNvLGcvSehsbLCdz
Angler Exploit Kit

Malwarebytes Anti-Exploit users were protected against this attack.

We informed the ad network and although they did not immediately get back to us, the rogue advert was taken down.

COMMENTS

capnkrunch

Is it really any wonder that ad blockers are so popular? Instead of complaining about lost revenue the ad industry needs to reform itself. It really shouldn’t have to be a choice between supporting the ad sponsored sites I frequent (which I really want to be able to do) or rolling the dice on being served Cryptowall 3 by the Angler EK. They’ve had plenty of time to address this issue but instead of doing so they seem more concerned complaining about how unfair it is of us to use ad blockers.
Jérôme Segura

You make some good points there. I think supporting free content is fine but not with the kind of risk it entails. People already hate ads, and we really didn’t need another incentive to block them.
The popularity of ad blockers may really force the ad industry’s hand to change how they go about advertising. It could be the use of new technologies that make malvertising harder or perhaps sponsored content where the advertiser is mentioned throughout the article in other ways than with a traditional ‘ad banner’.
Pingback: My browser visited Drudgereport and all I got was this lousy malware | TheApplePips.com()
Pingback: My browser visited Drudgereport and all I got was this lousy malware | CTECH 3384()
jon_downfromthetrees

Perhaps the ad networks might vet ads first?
capnkrunch

As well as the risk for users, I think it’s unfair to the content producers too. Content producers can’t fix the problem themselves, the changes need to be made by the ad networks. And since even the large, reputable agencies are susceptible to malvertising attacks they can’t even vote with their wallets.

I like the idea of alternatives to banner ads. In fact, one of the few places that I think does ads absolutely right, the TWiT network, does this. They have the advantage of producing audio and video content which I think is probably easier to weave ads into than written content but it still shows that the concept is feasible.
capnkrunch

It’s probably impractical to vet every ad, I imagine it’s similar to how Google doesn’t manually vet every app submitted to the Play Store. That said you would think that they could do more vetting of new advertisers. It also seems like adding some logic to detect the redirection chain that happens would be possible. I don’t think there’s a legitimate reason for ads to be redirecting users.
Pingback: Malware ad campaign hits wunderground, drudgereport and others » Unruleable Blog()
Jérôme Segura

Absolutely, redirections are just too much of a security risk. The only thing that should be allowed is a predefined URL that takes you to the product/service page when you click on it.

All over redirections are synonymous with suspicious or malicious activity.
Alan

How can I determine if I was infected?
Jérôme Segura

You can run a scan with your favourite antivirus and anti-malware products, as well as keep an eye on anything out of the ordinary. This particular exploit kit is known to drop ransomware, which if it did infect your PC with, you would know pretty quickly.
Alan

Yes, I already scanned with Symantec, but I don’t know if they have this malware covered. But no ransomware notice received … thank goodness. Thanks for your help. (And that reminds me to again back up remotely.)
Jérôme Segura

Yes, backups are your best friend, that’s for sure. With ransomware, you need to make sure your back up is not attached to your PC at all times, because… well, bad things can happen.
I would recommend scanning using Malwarebytes as well. Not trying to push our product, but it’s free and specializes on different things than an antivirus. Thanks,
Pingback: Huffington Post serves malvertising, again. - Cyphort()
Pingback: ste williams – You’ve been Drudged! Malware-squirting ads appear on websites with 100+ million visitors()
Pingback: My browser visited Weather.com and all I got was this lousy malware (Updated) | TechDiem.com()
Pingback: Massive Malware Campaign Targets Another Billion+ Users()
Pingback: You’ve been Drudged! Malware-squirting ads appear on websites with 100+ million visitors | TechDiem.com()
Pingback: Coming Soon » My browser visited Weather.com and all I got was this lousy malware (Updated)()
Gabor Szathmari

Do you need to click on the ad to kick-off the redirection chain?
Pingback: More malware delivering adverts - Breaking Ads()
Pingback: Why I won’t browse the web without Adblockers Part XXIII: “I went to Weather.Com and all I got was this lousy malware” | Constantinople (Not Istanbul)()
Pingback: My browser visited Drudgereport and all I got was this lousy malware | Change your style, keep your budget()
Cody Allison

Ah malware bytes…i tell people to put that on their windows boxes. I haven’t had an anti-virus since i switched to linux. Also ad blocker and script blocker…you no run if i no say so…i am interested in content more than packaging…
Pingback: My browser visited Weather.com and all I got was this lousy malware (Updated) - #1 Info Portal()
Pingback: My browser visited Weather.com and all I got was this lousy malware (Updated) » Apssites()
Bobbbbby5

I wonder why this type of thing doesn’t happen on the mobile side?
Surely there are even less ads blocked there.
Pingback: Malware Via Yahoo Ads Resurfaces With A Vengance | The IT Nerd()
Pingback: Another Infected Ad Network, Another Reason To Use An Ad Blocker at A Geek With Guns()
Jérôme Segura

Good question! The answer is no. The redirection happens as the page loads with the ad.
Jérôme Segura

Thank you!
Jérôme Segura

Mobile users get different payloads. We see a lot of unwanted pop ups for fake application, etc… See here for more: https://blog.malwarebytes.org/mobile-2/2013/12/android-pop-ups-warn-of-infection/
Pingback: En Bref … - CNIS mag()
Pingback: Massive Ad Poisoning scam and what you can do to protect against | My Space()
Pingback: Malvertizing is alive and well spreading CryptoWall ransomware through poisoned ads | HacktheW0r1d()
Pingback: Infected ad networks hit popular websites | Leet bytes()
Pingback: Infected ad networks hit popular websites | 007 Software()
Pingback: Start up: Second Life higher ed, killing more comments, Spotify’s hari-kiri, and more | The Overspill: when there's more that I want to say()
Pingback: Angler Exploit Kit Strikes on MSN.com via Malvertising Campaign | Malwarebytes Unpacked()
Pingback: My browser visited Drudgereport and all I got was this lousy malware (Updated) | Ad Jet()
Pingback: SSL Malvertising Campaign Targets Top Adult Sites | Malwarebytes Unpacked()
Pingback: Angler Exploit Kit Blasts Daily Mail Visitors Via Malvertising | Malwarebytes Unpacked()
Pingback: Virtual Mining Bitcoin News » Angler exploit kit targets up to 156 million UK Daily Mail readers in malvertising spree()
Pingback: Angler Exploit Kit Blasts Daily Mail Visitors Via Malvertising()
Pingback: Malvertising Hits ‘The Daily Mail’ One of the Biggest News Sites on the Web - AdTrustMedia Blog()
Pingback: Engadget Today » Hacker Lexicon: Malvertising, the Hack That Infects Computers Without a Click()
Pingback: Hacker Lexicon: Malvertising, the Hack That Infects Computers Without a Click | S4mpl3d()
Pingback: Hacker Lexicon: Malvertising, the Hack That Infects Computers Without a Click - Meta Thrunks Security Blog()

RELATED ARTICLES

Exploits | Threat analysis

Citadel: a cyber-criminal’s ultimate weapon?

November 5, 2012 - In old times, a citadel was a fortress used as the last line of defense. For cyber criminals it is a powerful and state-of-the-art toolkit to both distribute malware and manage infected computers (bots). Citadel is an offspring of the (too) popular Zeus crimekit whose main goal is to steal banking credentials by capturing keystrokes...

CONTINUE READING No Comments

Exploits | Threat analysis

Web Exploits: a bright future ahead

January 2, 2013 - The majority of computers get infected from visiting a specially crafted webpage that exploits one or multiple software vulnerabilities. It could be by clicking a link within an email or simply browsing the net, and it happens silently without any user interaction whatsoever. Vulnerabilities are flaws that exist in various programs and that allow someone to...

CONTINUE READING 2 Comments

Exploits | Threat analysis

Zero-Day Java vulnerability wreaks havoc on computers worldwide

January 14, 2013 - Update (1/14/2013) Oracle has issued an emergency patch to be shipped with version 7 update 11. While we are pleased to see a quick turnaround time, we stand by our initial recommendations to disable Java in your browser. This is still the most exploited piece of software and whether it is patched or not still unnecessarily puts you...

CONTINUE READING 1 Comment

Exploits | Threat analysis

New Exploit Kit, Ransomware and AV evasion

March 14, 2013 - Ransomware is still going strong and infecting countless PCs. We happened to stumble upon an interesting sample part of the Urausy family which bypassed detection on all major antivirus products for almost an entire day before slowly being detected. In this post we will give some information on its background (where it came from) and...

CONTINUE READING No Comments

Exploits | Threat analysis

Redkit Exploit Kit does the splits

April 5, 2013 - Exploit Kit authors must really love Java . Not only is it ripe with vulnerabilities but its own language provides a great platform to write and deliver malware in different ways. We are used to seeing encrypted payloads (XOR, AES encryption), applets containing both the exploit itself and the binary payload. Today we will talk...

CONTINUE READING No Comments

ABOUT THE AUTHOR

Jérôme Segura
Lead Malware Intelligence Analyst

Security researcher with a focus on exploits, malvertising and fraud.

CATEGORIES

101 Cybercrime Malwarebytes news PUP Security world

TOP POSTS

SSL Malvertising Campaign Continues (UPDATED)

Redirection chain

Citadel: a cyber-criminal’s ultimate weapon?

Web Exploits: a bright future ahead

Zero-Day Java vulnerability wreaks havoc on computers worldwide

New Exploit Kit, Ransomware and AV evasion

Redkit Exploit Kit does the splits

Cybersecurity info you can’t do without