Have you visited The Huffington Post and several other websites in the past week? You may have been the victim of an infection as these websites displayed malware advertisements, otherwise known as “malvertising.”
According to a blog post authored by researchers at cybersecurity firm Cyphort, the malware, which is called Kovter, were presented in ads that were managed by AOL’s network between Dec. 31 and Jan. 5. In fact, researchers say that the malware campaign could have very well gone as far back as October.
Websites The Huffington Post, GameZone, Houston Press, LA Weekly, Soap Central, WeatherBug, Mojo Savings and FHM were some of the victims of this cyberattack. Users may have been affected by simply visiting these websites without even clicking the advertisements.
Ostensibly, hackers are demanding money to unlock computers that have been affected by malware. It remains unclear as to exactly how many computers have been affected, but it is known that those users with outdated web browsers were affected – individuals with modern and updated browsers were fine.
This type of ransomware is quite dangerous. When infected, the computer eliminates access to the keyboard and mouse. A screen appears with a message that says is from a law enforcement official. It then informs the user that they have viewed child pornography and that they should pay a so-called fine of $300 that can only be paid through a pre-paid Visa and Mastercard cards from Moneypak. Also, the malware is customizable based on the computer’s location: if it’s a United States computer then it’s a bogus message from the FBI, while French computers will see a fake message from the la Police Nationale.
Computer experts say there is a method to remedy this problem: since Kovter doesn’t encrypt a user’s files and just blocks them, individuals can regain access by rebooting the computer in safe mode and then establish an anti-virus program. Once this is accomplished, the computer should be cleaned.
“Interestingly attackers used a mix of HTTP and HTTPS redirects to hide the servers involved in this attack. The HTTPS redirector is hosted on a Google App Engine page. This makes analysis based on traffic PCAPs more difficult, because HTTPS traffic is encrypted,” Cyphort researchers wrote in a blog post.
“It appears that this group has compromised and/or has access to multiple .pl domains in Poland, and is making redirects via sub-domains for these sites (nysa.pl, klodzko.pl, etc). This is similar to the Youtube Ads attack that our friends at TrendMicro blogged about in October.”
It was discovered in October that hackers earned about $25,000 per day by coercing various websites to showcase malware-laced ads at visitors. Some of the victims were Yahoo!, Atlantic and AOL. Hackers utilized Cryptowall ransomware and it may have affected by about three million people per day.
Yahoo! explained that it took immediate action when it discovered the incident:
“At Yahoo, we take the safety and privacy of users very seriously. As soon as we detected the incident, we promptly removed the advertising and have continued to monitor and block any advertising being used for this activity,” a Yahoo! spokesperson said in a statement.
