|7/16/2015||www.zeldadungeon.net||USA||1.1 Million visits per month|
|7/16/2015||www.mpora.com||India||0.6 Million visits per month|
|7/17/2015||www.tvjaa.com||Thailand||2.8 Million visits per month|
|7/19/2015||www.techz.vn||Vietnam||3.7 Million visits per month|
|7/19/2015||www.hello-pet.com||Indonesia||3.6 Million visits per month|
|7/22/2015||www.kienthuc.net.vn||Vietnam||7.2 Million visits per month|
|7/23/2015||www.hochi.co.jp||Japan||1.8 Million visits per month|
|7/23/2015||www.lavishcar.com||USA||0.9 Million visits per month|
|7/25/2015||www.yaoiotaku.com||USA||0.3 Million visits per month|
|7/25/2015||www.360kpop.com||Vietnam||0.6 Million visits per month|
|7/25/2015||www.piovegovernoladro.info||Italy||0.6 Million visits per month|
|7/25/2015||www.undertexter.se||Sweden||0.3 Million visits per month|
|7/26/2015||www.zougla.gr||Greece||4.4 Million visits per month|
|7/26/2015||www.sonicch.com||Japan||1.1 Million visits per month|
|7/27/2015||www.skypech.com||Japan||0.5 Million visits per month|
|7/27/2015||www.databazeknih.cz||Czech Republic||0.7 Million visits per month|
Here is the new redirection chain example:
Update on July 16, 2015. Malvertising attack is ongoing, it stopped using AOL’s ADTECH.DE and uses SSL redirector at https://ads.us.e-planning.net instead. New infected domains include HuffingtonPost Japan. HuffingtonPost is owned by AOL which is now owned by Verizon.
- www.huffingtonpost.jp (!)
Update on July 14, 2015. Attack is ongoing, here are the freshly infected domains, please do not visit these:
It appears related to the “Malvertising Gone Wild” campaign covered by our friends at Invincea.
This Saturday, July 11, 2015, Cyphort Labs detected a malvertising campaign with infections on multiple websites. All of these appear to be top popular websites in various countries including Vietnam, Turkey, Japan, Saudi Arabia and Germany. AOL advertising system ADTECH.DE and Microsoft cloud AZURE were involved in redirects for this campaign. What makes this attack unique is the use of multiple SSL redirectors which encrypt the traffic and make the redirection harder to follow.
See the chart below – Cyphort crawler observed a significant spike in the number of daily infections discovered.
The partial list of the websites infected in this campaign is below:
One of the sites is readms.com – it is a Japanese Manga comics site, visited by 280,000 people monthly. Another compromised site is bisnis.com – a daily newspaper published in Jakarta, Indonesia, which primarily covers financial and business news and issues and is visited by 4.7 million people monthly. Phununet.com is the 36th most popular site in Vietnam – it is the first social network for women in Vietnam, developed, by Vietnam Online Group.
Here is the full malvertising chain for Phununet.com:
|1 – start||phununet.com|
Here is the code for the 3 SSL redirections used in this chain:
redirect http 302 to acpagaaagpc.bookb.opeikqqyewu.net
Adtech.de is an advertising platform, with clients in 74 countries. It is owned by AOL. We have notified AOL abuse and security team about this issue.
Cyphort Labs is monitoring this malvertising campaign and will share more results as soon as they become available. Special thanks to Alex Burt for his help with the analysis.