7/16/2015  www.zeldadungeon.net USA 1.1 Million visits per month
7/16/2015  www.mpora.com India 0.6 Million visits per month
7/17/2015  www.tvjaa.com Thailand 2.8 Million visits per month
7/19/2015  www.techz.vn Vietnam 3.7 Million visits per month
7/19/2015  www.hello-pet.com Indonesia 3.6 Million visits per month
7/22/2015  www.kienthuc.net.vn Vietnam 7.2 Million visits per month
7/23/2015  www.hochi.co.jp Japan 1.8 Million visits per month
7/23/2015  www.lavishcar.com USA 0.9 Million visits per month
7/25/2015  www.yaoiotaku.com USA 0.3 Million visits per month
7/25/2015  www.360kpop.com Vietnam 0.6 Million visits per month
7/25/2015  www.piovegovernoladro.info Italy 0.6 Million visits per month
7/25/2015  www.undertexter.se Sweden 0.3 Million visits per month
7/26/2015  www.zougla.gr Greece 4.4 Million visits per month
7/26/2015  www.sonicch.com Japan 1.1 Million visits per month
7/27/2015  www.skypech.com Japan 0.5 Million visits per month
7/27/2015  www.databazeknih.cz Czech Republic 0.7 Million visits per month


Here is the new redirection chain example:

 1 start  www.zeldadungeon.net
 2 malvert  ads.us.e-planning.net
 3_SSL_redirect  ert-fr3-54.azurewebsites.net
 4_SSL_redirect  abcmenorca.net
 5  abzercdpeab.alver.miefifreetechbooks.net
 6  abzercdpeab.lojad.gahwethats.net
 7 Angler  defis.uloozkolozzeum.net/viewtopic.php?<malware>




Update on July 16, 2015. Malvertising attack is ongoing, it stopped using AOL’s ADTECH.DE and uses SSL redirector at  https://ads.us.e-planning.net instead. New infected domains  include HuffingtonPost Japan. HuffingtonPost is owned by AOL which is now owned by Verizon.


  • www.huffingtonpost.jp (!)
  • www.philippinecompanies.com
  • www.funnie.st
  • www.mangapanda.com
  • ww.asianews2ch.jp
  • www.alarabeyes.com




Update on July 14, 2015. Attack is ongoing, here are the freshly infected domains, please do not visit these:

  • v10.pl
  • sunsigns.org
  • viewmixed.com

It appears related to the  “Malvertising Gone Wild” campaign covered by our friends at Invincea.


This Saturday, July 11, 2015,  Cyphort Labs detected a malvertising campaign with infections on multiple websites. All of these appear to be top popular websites in various countries including Vietnam, Turkey, Japan, Saudi Arabia and Germany. AOL advertising system ADTECH.DE and Microsoft cloud AZURE were involved in redirects for this campaign. What makes this attack unique is the use of multiple SSL redirectors which encrypt the traffic and make the redirection harder to follow. 

 See the chart below – Cyphort crawler observed a significant spike in the number of daily infections discovered. 



 The partial list of the websites infected in this campaign is below:

  • www.readms.com
  • www.bisnis.com
  • www.phununet.com
  • www.1jux.net
  • www.cricwaves.com
  • www.kaola.jp

One of the sites is readms.com – it is a Japanese Manga comics site, visited by 280,000 people monthly. Another compromised site is bisnis.com – a daily newspaper published in Jakarta, Indonesia, which primarily covers  financial and business news and issues and is visited by 4.7 million people monthly. Phununet.com is the 36th most popular site in Vietnam – it is the first social network for women in Vietnam, developed, by Vietnam Online Group.

Here is the full malvertising chain  for Phununet.com: 

 1 – start  phununet.com
 2  media.adnetwork.vn
 3  b.serving-system.com
 4  tags.mathtag.com
 5 (SSL)  secserv.adtech.de
 6 (SSL)  ert-fr3-54.azurewebsites.net
 7 (SSL)  flavers.net
 exploit  <Malware>cheewcineindya.in

Here is the code for the 3 SSL redirections used in this chain: 



 from: https://flavers.net

redirect http 302 to acpagaaagpc.bookb.opeikqqyewu.net



Adtech.de is an advertising platform, with clients in 74 countries. It is owned by AOL. We have notified AOL abuse and security team about this issue.  

Cyphort Labs is monitoring this malvertising campaign and will share more results as soon as they become available. Special thanks to Alex Burt for his help with the analysis.