The cyberattack and extortion campaign was discovered by researchers at cybersecurity firm Cyphort. The hackers are demanding money to unlock computers infected with their malware.
It’s unclear how many computers were infected. The attack appears to have only affected people running Windows PCs using outdated browsers, including Internet Explorer 8 — the most-used version of Microsoft’s IE browser. Modern, updated browsers such as Internet Explorer 11, Google Chrome and Mozilla’s latest version of Firefox were not susceptible to the malware.
The malware ran on ads served by AOL’s network between Dec. 31 until Jan. 5, researchers said. It’s possible that the campaign stretched as far back as October.
If you were using an older browser, merely visiting a website was enough to get hit with the malware. When ads appeared, they silently infected computers. People didn’t even have to click on them.
It affected ads displayed on The Huffington Post, men’s magazine FHM, alternative newspapers LA Weekly and Houston Press, video game site GameZone, and many others.
None of them responded to questions from CNNMoney.
AOL spokesman Gerasimos Manolatos said the company “quickly took the necessary steps to rectify” and said “AOL is committed to bringing new levels of transparency to the advertising process, ensuring ads uphold quality standards and create positive consumer experiences.”
However, AOL would not say how many people were exposed to the poison ads.
The malicious software is called Kovter, a nasty strain of so-called ransomware. Once infected, the computer cuts off access to the keyboard and mouse. The screen is blocked with a message claiming to be from law enforcement. It claims you’ve viewed child pornography and demands a $300 “fine” — suspiciously payable only via hard-to-trace, pre-paid Mastercard and Visa cards from MoneyPak.
The malware figures out your computer’s location, and tailors the message accordingly. American computers get a fake message from the FBI. Those in France see one from la Police nationale. There are custom messages for Germans, Turks and U.K. residents too.
There’s hope, though. Unlike its nastier cousins CryptoLocker and Cryptowall, the Kovter malware doesn’t encrypt your files. It just blocks you. So you can get access back if you reboot your computer in “safe mode,” launch an antivirus software such as MalwareBytes, and clean your computer.
How it happened
Many websites rely on third-party advertising networks that deliver ads to your screen. It’s an automated, complicated marketplace. Deals get made in milliseconds.
The sheer speed of buying and selling online ads lets criminals easily pose as legitimate customers with normal-looking ads. But those advertisements are actually laced with malware.
Malvertising, as it’s called, is hard to catch. One scan isn’t enough. Ads aren’t static pictures anymore. Ads deliver a stream of information that’s fed to them from a computer server, and that source can be changed repeatedly.
In this case, Cyport explained, AOL’s alarms didn’t go off because the ad redirected its source eight times — ending up at a shady Polish website’s server.
Nick Bilogorskiy, Cyphort’s security research director, said this malvertisement targeted every single visitor to HuffingtonPost.com.
“These criminals really turned up the exposure and tried to compromise lots of people,” he said. “It’s unprecedented. We’ve never seen it at this scale.”
Bilogorskiy’s team, which scans the Internet for malware, is now reviewing records to see how far back the campaign goes.
Cyphort said it alerted AOL on Jan. 3. AOL shut down the malvertisements two days later.
Google’s software was also used to deliver the malvertisements, Cyphort said. Google did not respond to questions for comment.
“Malvertising is a big problem,” Bilogorskiy said. “We’re seeing it getting worse, and we’re expecting it to get really bad in 2015.”