Blog

Malvertising on international websites with SSL redirectors

Posted on July 27th, 2015 by Nick Bilogorskiy

Update on July 27, 2015. Malvertising attack is still going strong, using SSL redirector at  https://ads.us.e-planning.net .

 In the last 10 days, Cyphort Labs found many more infected domains – they are listed below. Please refrain going to these sites as they are dangerous. 
We have notified e-planning.net about this issue and they are actively working to resolve it. At least 10 million people have visited these websites and were potentially exposed to the Angler exploit kit in the last 10 days according to our estimates and data from SimilarWeb.

 

 

7/16/2015  www.zeldadungeon.net USA 1.1 Million visits per month
7/16/2015  www.mpora.com India 0.6 Million visits per month
7/17/2015  www.tvjaa.com Thailand 2.8 Million visits per month
7/19/2015  www.techz.vn Vietnam 3.7 Million visits per month
7/19/2015  www.hello-pet.com Indonesia 3.6 Million visits per month
7/22/2015  www.kienthuc.net.vn Vietnam 7.2 Million visits per month
7/23/2015  www.hochi.co.jp Japan 1.8 Million visits per month
7/23/2015  www.lavishcar.com USA 0.9 Million visits per month
7/25/2015  www.yaoiotaku.com USA 0.3 Million visits per month
7/25/2015  www.360kpop.com Vietnam 0.6 Million visits per month
7/25/2015  www.piovegovernoladro.info Italy 0.6 Million visits per month
7/25/2015  www.undertexter.se Sweden 0.3 Million visits per month
7/26/2015  www.zougla.gr Greece 4.4 Million visits per month
7/26/2015  www.sonicch.com Japan 1.1 Million visits per month
7/27/2015  www.skypech.com Japan 0.5 Million visits per month
7/27/2015  www.databazeknih.cz Czech Republic 0.7 Million visits per month

 

Here is the new redirection chain example:

 1 start  www.zeldadungeon.net
 2 malvert  ads.us.e-planning.net
 3_SSL_redirect  ert-fr3-54.azurewebsites.net
 4_SSL_redirect  abcmenorca.net
 5  abzercdpeab.alver.miefifreetechbooks.net
 6  abzercdpeab.lojad.gahwethats.net
 7 Angler  defis.uloozkolozzeum.net/viewtopic.php?<malware>

 

 


 

Update on July 16, 2015. Malvertising attack is ongoing, it stopped using AOL’s ADTECH.DE and uses SSL redirector at  https://ads.us.e-planning.net instead. New infected domains  include HuffingtonPost Japan. HuffingtonPost is owned by AOL which is now owned by Verizon.

huff2
  • www.huffingtonpost.jp (!)
  • www.philippinecompanies.com
  • www.funnie.st
  • www.mangapanda.com
  • ww.asianews2ch.jp
  • www.alarabeyes.com

 


 

 

Update on July 14, 2015. Attack is ongoing, here are the freshly infected domains, please do not visit these:

  • v10.pl
  • sunsigns.org
  • viewmixed.com

It appears related to the  “Malvertising Gone Wild” campaign covered by our friends at Invincea.


 

This Saturday, July 11, 2015,  Cyphort Labs detected a malvertising campaign with infections on multiple websites. All of these appear to be top popular websites in various countries including Vietnam, Turkey, Japan, Saudi Arabia and Germany. AOL advertising system ADTECH.DE and Microsoft cloud AZURE were involved in redirects for this campaign. What makes this attack unique is the use of multiple SSL redirectors which encrypt the traffic and make the redirection harder to follow. 

 See the chart below – Cyphort crawler observed a significant spike in the number of daily infections discovered. 

 mal_spike_blog1

 

 The partial list of the websites infected in this campaign is below:

  • www.readms.com
  • www.bisnis.com
  • www.phununet.com
  • www.1jux.net
  • www.cricwaves.com
  • www.kaola.jp

One of the sites is readms.com – it is a Japanese Manga comics site, visited by 280,000 people monthly. Another compromised site is bisnis.com – a daily newspaper published in Jakarta, Indonesia, which primarily covers  financial and business news and issues and is visited by 4.7 million people monthly. Phununet.com is the 36th most popular site in Vietnam – it is the first social network for women in Vietnam, developed, by Vietnam Online Group.

Here is the full malvertising chain  for Phununet.com: 

 1 – start  phununet.com
 2  media.adnetwork.vn
 3  b.serving-system.com
 4  tags.mathtag.com
 5 (SSL)  secserv.adtech.de
 6 (SSL)  ert-fr3-54.azurewebsites.net
 7 (SSL)  flavers.net
 exploit  <Malware>cheewcineindya.in

 
Here is the code for the 3 SSL redirections used in this chain: 

ssl_redir1 ssl_redir2

 from: https://flavers.net

redirect http 302 to acpagaaagpc.bookb.opeikqqyewu.net

 

 

Adtech.de is an advertising platform, with clients in 74 countries. It is owned by AOL. We have notified AOL abuse and security team about this issue.  

Cyphort Labs is monitoring this malvertising campaign and will share more results as soon as they become available. Special thanks to Alex Burt for his help with the analysis.

 

Tags: ,

Recent Posts

Categories

By Authors

Monthly Archives