Malvertising on international websites with SSL redirectors

Posted on July 27th, 2015 by Nick Bilogorskiy

Update on July 27, 2015. Malvertising attack is still going strong, using SSL redirector at .

 In the last 10 days, Cyphort Labs found many more infected domains – they are listed below. Please refrain going to these sites as they are dangerous. 
We have notified about this issue and they are actively working to resolve it. At least 10 million people have visited these websites and were potentially exposed to the Angler exploit kit in the last 10 days according to our estimates and data from SimilarWeb.



7/16/2015 USA 1.1 Million visits per month
7/16/2015 India 0.6 Million visits per month
7/17/2015 Thailand 2.8 Million visits per month
7/19/2015 Vietnam 3.7 Million visits per month
7/19/2015 Indonesia 3.6 Million visits per month
7/22/2015 Vietnam 7.2 Million visits per month
7/23/2015 Japan 1.8 Million visits per month
7/23/2015 USA 0.9 Million visits per month
7/25/2015 USA 0.3 Million visits per month
7/25/2015 Vietnam 0.6 Million visits per month
7/25/2015 Italy 0.6 Million visits per month
7/25/2015 Sweden 0.3 Million visits per month
7/26/2015 Greece 4.4 Million visits per month
7/26/2015 Japan 1.1 Million visits per month
7/27/2015 Japan 0.5 Million visits per month
7/27/2015 Czech Republic 0.7 Million visits per month


Here is the new redirection chain example:

 1 start
 2 malvert
 7 Angler<malware>




Update on July 16, 2015. Malvertising attack is ongoing, it stopped using AOL’s ADTECH.DE and uses SSL redirector at instead. New infected domains  include HuffingtonPost Japan. HuffingtonPost is owned by AOL which is now owned by Verizon.

  • (!)




Update on July 14, 2015. Attack is ongoing, here are the freshly infected domains, please do not visit these:


It appears related to the  “Malvertising Gone Wild” campaign covered by our friends at Invincea.


This Saturday, July 11, 2015,  Cyphort Labs detected a malvertising campaign with infections on multiple websites. All of these appear to be top popular websites in various countries including Vietnam, Turkey, Japan, Saudi Arabia and Germany. AOL advertising system ADTECH.DE and Microsoft cloud AZURE were involved in redirects for this campaign. What makes this attack unique is the use of multiple SSL redirectors which encrypt the traffic and make the redirection harder to follow. 

 See the chart below – Cyphort crawler observed a significant spike in the number of daily infections discovered. 



 The partial list of the websites infected in this campaign is below:


One of the sites is – it is a Japanese Manga comics site, visited by 280,000 people monthly. Another compromised site is – a daily newspaper published in Jakarta, Indonesia, which primarily covers  financial and business news and issues and is visited by 4.7 million people monthly. is the 36th most popular site in Vietnam – it is the first social network for women in Vietnam, developed, by Vietnam Online Group.

Here is the full malvertising chain  for 

 1 – start
 5 (SSL)
 6 (SSL)
 7 (SSL)
 exploit  <Malware>

Here is the code for the 3 SSL redirections used in this chain: 

ssl_redir1 ssl_redir2


redirect http 302 to is an advertising platform, with clients in 74 countries. It is owned by AOL. We have notified AOL abuse and security team about this issue.  

Cyphort Labs is monitoring this malvertising campaign and will share more results as soon as they become available. Special thanks to Alex Burt for his help with the analysis.


Tags: ,

Recent Posts


By Authors

Monthly Archives