Malvertisers abused Yahoos ad network for days

Get a copy of the upcoming book "Secure Operations Technology"

“A large-scale malvertising attack abusing Yahoos ad network has been hitting visitors of the Internet giant’s many popular and heavy-traffic sites for nearly a week.

Started on July 28th, the campaign showed malicious ads that would redirect visitors to a site hosting the Angler exploit kit, which would then attempt to exploit an Adobe Flash vulnerability on the victims’ computer.

The attack was spotted by Malwarebytes’ researchers, who immediately notified Yahoo, and the company put a stop to it.

“As soon as we learned of this issue, our team took action and will continue to investigate this issue,” Yahoo noted.

“Unfortunately, disruptive ad behavior affects the entire tech industry. Yahoo has a long history of engagement on this issue and is committed to working with our peers to create a secure advertising experience. Well continue to ensure the quality and safety of our ads through our automated testing and through the SafeFrame working group, which seeks to protect consumers and publishers from the potential security risks inherent in the online ad ecosystem.

Malwarebytes’ researchers didn’t manage to get the ultimate malicious payload delivered by the exploit kit, but Angler has lately been dropping a mix of ad fraud malware and ransomware. It’s also unknown how many users have been victimized.

This one is a doozey in terms of scale, because it uses Yahoo’s properties, which see nearly 7 billion visits per month,” commented Kowsik Guruswamy, CTO for Menlo Security.

“The method of the attack is nothing new: Bad actors place ads via Yahoo’s network, and the ads direct users to sites that have been compromised and set up to serve malware.”

This particular campaign has been stopped by Yahoo, but if you are still running Flash on your system, you should make sure to update it regularly. And if you have been lax in doing that, checking your computer for malware is a good idea.

“The inconvenient truth about the Web is that it’s dangerous and it’s not the kind of place you should go without effective protection. There’s no way to stop cyber criminals from attacking, and there’s no way to detect and stop all of their attacks. The only way to be safe is to execute *all* Web content away from your endpoint so it can’t do harm even if it’s malicious. That’s what isolation security is all about, and it seems pretty clear that its time has come, noted Guruswamy.

“The complexity of the online advertising economy makes it easy for malicious actors to abuse the system and get away with it. It is one of the reasons why we need to work very closely with different industry partners to detect suspicious patterns and react very quickly to halt rogue campaigns,” added Malwarebytes’ Jerome Segura.”