On Sunday, Malwarebytes' senior security researcher Jerome Segura reported in theMalwarebytes official security blog the uncovering a large scale malware where the same hackers that exploited vulnerabilities in Adobe Flash used advertising on Yahoo's largest websites to distribute malware to billions - Yahoo has 6.9 billion monthly visits.
The attackers took on Yahoo's own ad network and leveraged Microsoft Azure websites to spread the increasingly popular Angler Exploit Kit (EK) to unsuspecting site visitors. Although the campaign ultimately led victims to the Angler EK, the security company didn't collect information on its payload. However, it did note that this EK often leads to Bedep ad fraud and CryptoWall ransomware.
As Segura notes: “...malicious ads do not require any type of user interaction in order to execute their payload. The mere fact of browsing to a website that has adverts (and most sites, if not all, do) is enough to start the infection chain.”
In an email to SCMagazineUK.com, Nick Buchholz, senior threat researcher, Damballa, added: "Ads themselves are not a direct infection vector for malware. Rather, they can be used to redirect to exploit kit landing pages, which use a number of different exploits to compromise a victim and force them into downloading a malicious payload. Every step of this process- redirection, getting information about the victim's machine/software, sending exploits, and then delivering the malware - is modular, meaning that every part can be updated and replaced as the attacker's infrastructure changes, exploits get patched or disclosed, or new payloads are developed. This is why exploit kits are such a viable mechanism for attackers (and why they pose such a serious threat)- they can constantly adapt and evolve.
"Yahoo is a high-traffic site (Alexa rank #5), and it's not surprising that an attacker would try to leverage such a target-rich environment. Many popular sites attract these types of threats. The Atlantic and AOL were used in a similar campaign last October."
The campaign is believed to have kicked off July 28, and once discovered Segura notified Yahoo! Then said, “We are pleased to report that they took immediate action to stop the issue. The campaign is no longer active.”
Redarging preemptive action, Lawrence Munro, EMEA and APAC director of Trustwave told SCMagazineUK.com: "To avoid falling victim, the first and most important action is to make sure all software is up to date, and uninstall any software that is actually not in use. Businesses should be using managed anti-malware controls, such as gateway technologies that can detect and strip out malware in real-time. These kinds of security controls help prevent such an attack."
Yahoo!'s response statement adds: “Yahoo is committed to ensuring that both our advertisers and users have a safe and reliable experience. As soon as we learned of this issue, our team took action and will continue to investigate this issue.
"Unfortunately, disruptive ad behaviour affects the entire tech industry. Yahoo has a long history of engagement on this issue and is committed to working with our peers to create a secure advertising experience. We'll continue to ensure the quality and safety of our ads through our automated testing and through the SafeFrame working group, which seeks to protect consumers and publishers from the potential security risks inherent in the online ad ecosystem.”
Buchholz adds: "It's worth noting that (as far as we know), Yahoo itself was never breached as part of the campaign. While Yahoo was used as a platform for serving the malicious ads, the company was not so much the victim of the campaign as its users were."
In an email to SCMagazineUK.com, Grayson Milbourne, security intelligence director at cyber-security firm Webroot commented: “With the pure scale and size of Yahoo – many people may have fallen victim to this attack. Monetary gain is the primary motivation for attacks of this nature and in many cases, ads are just traps for additional attacks. This exploit is an indication that potential breaches are heading in the direction of becoming more complex in nature, and with further reaching effects on a larger number of end-users.
“Exercising prudence when obtaining and installing software is crucial to staying protected from these types of attacks. End-users should keep in mind that often a quick search can give useful information on the general level of public trust. To stay protected, I encourage users to use the Chrome browser along with an ad-removal extension. There are number to pick from, and using this combination offers the best chance of preventing an ad network redirect to an exploit kit.”
Munro also told SC: "Trustwave researchers have recently been carrying out in-depth research into a new malware attack, which uses the exploit kit RIG 3.0 to infect users worldwide. This particular malware attack has so far infected more than 1.25 million victims worldwide and more than 3.6 million attack attempts, with 90 percent of the traffic flowing into the various campaigns of the RIG exploit kit being as a result of malvertisements. Many large websites were found to be abused by malvertising campaigns in order to redirect visitors to the RIG exploit kit, including news sites, investment consulting firms, IT solution providers etc."