Cybercrime

Malvertisers Poison Yahoo’s Ad Network

Yahoo’s ad network suffered an attack that lasted for almost a week, Malwarebytes reported mid-day Monday.Malwarebytes earlier notified Yahoo of the attacks, which began July 28.

Yahoo had stopped them by the time the report was published, Malwarebytes said.

The attackers used the Angler Exploit Kit, described as highly sophisticated, to redirect visitors to ad sites on two Microsoft Azure domains.

Although it did not collect the payload in this campaign, Malwarebytes said that Angler drops a mix of ad fraud — Bedep — and ransomware in the form of the Cryptowall trojan.

Yahoo blocked the advertiser responsible from its network “as soon as we learned of this issue,” Yahoo said in a statement provided to the E-Commerce Times by spokesperson Margot Littlehale.

Leveraging Security

The attackers redirected people clicking on ads to domains run by Microsoft’s Azure cloud service because of Azure’s security, suggested Jerome Segura, senior security researcher at Malwarebytes Labs.

The attackers wanted to “leverage SSL connections offered by Azure, rendering all traffic to that website encrypted, thus making it much more difficult for us to retrace the full infection flow,” Segura said.

That figures — the Angler exploit kit uses various deobfuscation routines, antivirus detection, virtualization detection and scrambled encrypted URL paths. It runs dropped malware from memory without having to write to the hard drive, making it extremely difficult for traditional antivirus technologies to detect.

Microsoft Azure is the leader in terms of performance, according to Nasuni’s third biennial State of Cloud Provider report, published in May.

Speed? What Speed?

Yahoo’s claim that it promptly responded to the threat may be a matter of perspective.

“We got in touch with Yahoo very quickly after the discovery,” said Jerome Segura, senior security researcher at Malwarebytes.

Why didn’t Yahoo block the malware as soon as it was informed?

“Before shutting down any advertiser, the ad network needs to review the evidence and make the right call,” Segura told the E-Commerce Times.

This “takes a bit of time,” he pointed out — “and in this case, the advertiser was legitimate, so that alone made it more difficult to detect the malicious behavior in the first place.”

Time After Time

Those behind this latest attack in June launched other massive malvertising attacks, Segura said, targeting large news and media websites.

Facebook, CNN Indonesia, and the official websites of Prague Airport and RTL Television Croatia were among those attacked, according to Raytheon/Websense.

The Growth of Malvertising

Malvertising, or using ads as the vector for cyberattacks, is gaining ground among hackers.

Yahoo and AOL users were hit by malvertising in January 2014, and Yahoo was hit again in October.

Google’s DoubleClick ad network was hit in September 2014, and again in January of this year.

Malvertisements between January and June were 260 percent more than during the same period last year, and the number of unique malvertisements jumped 60 percent year over year, RiskIQ said..

Mobile apps are the most fruitful area for these attacks, RiskIQ said.

However, the attack on Yahoo this time targeted desktops, most likely in North America, Malwarebytes’ Segura said.

Beating the Malvertising Demons

Consumers and corporate users are affected equally by malvertising, “thanks to the ability of rogue advertisers to target their victims with unique precision,” Segura said.

Users must keep their computers up to date, enable “Click to Play” for the Adobe Flash Player, and use defense in depth, he recomended.

Wait, what? Adobe again? Yes — according to Segura, it’s the “No. 1 vector of infections.”

Richard Adhikari has written about high-tech for leading industry publications since the 1990s and wonders where it's all leading to. Will implanted RFID chips in humans be the Mark of the Beast? Will nanotech solve our coming food crisis? Does Sturgeon's Law still hold true? You can connect with Richard on Google+.

Leave a Comment

Please sign in to post or reply to a comment. New users create a free account.

Related Stories
More by Richard Adhikari
More in Cybercrime

E-Commerce Times Channels