COVID-19 in Washington: Links and resources to help you during coronavirus pandemic

If you visited these major websites recently, you could have a virus

This is an archived article and the information in the article may be outdated. Please look at the time stamp on the story to see when it was last updated.
Between Dec. 31, 2014 and Jan. 5, 2015, The Huffington Post and several major websites displayed malware-laced advertisements that infected computers and locked them down. Infected computers got this scary-looking message. It's a ransomware scam. Credit: Courtesy Cyphort

Between Dec. 31, 2014 and Jan. 5, 2015, The Huffington Post and several major websites displayed malware-laced advertisements that infected computers and locked them down. Infected computers got this scary-looking message. It’s a ransomware scam.
Credit: Courtesy Cyphort

NEW YORK (CNNMoney) — This past week, The Huffington Post and several major websites displayed malware-laced advertisements that infected computers and locked them down.

The cyberattack and extortion campaign was discovered by researchers at cybersecurity firm Cyphort. The hackers are demanding money to unlock computers infected with their malware.

It’s unclear how many computers were infected. The attack appears to have only affected people running Windows PCs using outdated browsers, including Internet Explorer 8 — the most-used version of Microsoft’s IE browser. Modern, updated browsers such as Internet Explorer 11, Google Chrome and Mozilla’s latest version of Firefox were not susceptible to the malware.

The malware ran on ads served by AOL’s network between Dec. 31 until Jan. 5, researchers said. It’s possible that the campaign stretched as far back as October.

If you were using an older browser, merely visiting a website was enough to get hit with the malware. When ads appeared, they silently infected computers. People didn’t even have to click on them.

It affected ads displayed on The Huffington Post, men’s magazine FHM, alternative newspapers LA Weekly and Houston Press, video game site GameZone, and many others.

None of them responded to questions from CNNMoney.

AOL spokesman Gerasimos Manolatos said the company “quickly took the necessary steps to rectify” and said “AOL is committed to bringing new levels of transparency to the advertising process, ensuring ads uphold quality standards and create positive consumer experiences.”

However, AOL would not say how many people were exposed to the poison ads.

The malicious software is called Kovter, a nasty strain of so-called ransomware. Once infected, the computer cuts off access to the keyboard and mouse. The screen is blocked with a message claiming to be from law enforcement. It claims you’ve viewed child pornography and demands a $300 “fine” — suspiciously payable only via hard-to-trace, pre-paid Mastercard and Visa cards from MoneyPak.

The malware figures out your computer’s location, and tailors the message accordingly. American computers get a fake message from the FBI. Those in France see one from la Police nationale. There are custom messages for Germans, Turks and U.K. residents too.

There’s hope, though. Unlike its nastier cousins CryptoLocker and Cryptowall, the Kovter malware doesn’t encrypt your files. It just blocks you. So you can get access back if you reboot your computer in “safe mode,” launch an antivirus software such as MalwareBytes, and clean your computer.

How it happened

Many websites rely on third-party advertising networks that deliver ads to your screen. It’s an automated, complicated marketplace. Deals get made in milliseconds.

The sheer speed of buying and selling online ads lets criminals easily pose as legitimate customers with normal-looking ads. But those advertisements are actually laced with malware.

Malvertising, as it’s called, is hard to catch. One scan isn’t enough. Ads aren’t static pictures anymore. Ads deliver a stream of information that’s fed to them from a computer server, and that source can be changed repeatedly.

In this case, Cyport explained, AOL’s alarms didn’t go off because the ad redirected its source eight times — ending up at a shady Polish website’s server.

Nick Bilogorskiy, Cyphort’s security research director, said this malvertisement targeted every single visitor to

“These criminals really turned up the exposure and tried to compromise lots of people,” he said. “It’s unprecedented. We’ve never seen it at this scale.”

Bilogorskiy’s team, which scans the Internet for malware, is now reviewing records to see how far back the campaign goes.

Cyphort said it alerted AOL on Jan. 3. AOL shut down the malvertisements two days later.

Google’s software was also used to deliver the malvertisements, Cyphort said. Google did not respond to questions for comment.

“Malvertising is a big problem,” Bilogorskiy said. “We’re seeing it getting worse, and we’re expecting it to get really bad in 2015.”

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

1 Comment

  • shu

    actually it was earlier than that…I was getting them in mid 2014 if not earlier!!! but none of mine were asking for money!!
    it did lock up the computer though I was using ie 9 I think at the time an whatever is on windows 8.1 it can still get to….happened to a female friend of mine a few weeks ago…she freaked out!!! I told her to cntrl shift esc an get out of ie that way then run the 2 mallys she had an it caught them……. I thought it suspicious when I was on a Chinese phone site an it said I was looking at child porn like the pic at top of this page……I knew it was a fake……

Notice: you are using an outdated browser. Microsoft does not recommend using IE as your default browser. Some features on this website, like video and images, might not work properly. For the best experience, please upgrade your browser.