Posted: May 11, 2016 by

Last updated:

Emol[.]com suffers from malvertising.

Emol.com (El Mercurio On-Line) is a very popular information portal ranked 5th most visited site in Chile. El Mercurio, is a conservative Chilean newspaper with a troubled past including funding from the CIA in the early 1970s to undermine the Socialist government of Salvador Allende.

In more recent times, Emol was serving a malicious advert that automatically exposed visitors to the site to the Angler exploit kit. The infection came from ad platform adXion, whose client list includes emol.com, Yahoo Chile and others.

Traffic flow:

Publisher : emol.com

: emol.com Ad platform : pn1.adxion.com/www/delivery/adifr_sphx.php?num={redacted}www.emol.com&rr=48917368

: pn1.adxion.com/www/delivery/adifr_sphx.php?num={redacted}www.emol.com&rr=48917368 Fraudulent server : experienced.robeotics.com/provider/vicetpresident/ips.js

: experienced.robeotics.com/provider/vicetpresident/ips.js Angler EK landing : collinvitticumuliform.eventledsigns.com/WwwsTF/675902-PqtoHSXm-thBjx-OhwpDiUU-.php

Shadowed domain:

Hostname: experienced.robeotics.com

IP address: 188.227.18.113

Infrastructure: nginx

Main domain (parked):

Hostname: robeotics.com

IP address: 184.168.221.52 (GoDaddy)

Infrastructure: Microsoft-IIS/7.5

This attack shares some commonalities with others we have observed more recently that leverage the same kind of redirector to Angler. We have notified adXion about this abuse of their platform.

We recommend that people keep their machines up to date and use an exploit mitigation tool such as Malwarebytes Anti-Exploit to block drive-by download attacks via malvertising. Angler EK, like many other exploit kits has predominantly been delivering ransomware infections and it goes without saying that prevention is better than reaction.