Large Malvertising Campaign Takes on Yahoo!

Posted: August 3, 2015 by Jérôme Segura
Last updated: March 30, 2016

June and July have set new records for malvertising attacks. We have just uncovered a large scale attack abusing Yahoo!’s own ad network.

As soon as we detected the malicious activity, we notified Yahoo! and we are pleased to report that they took immediate action to stop the issue. The campaign is no longer active at the time of publishing this blog.

This latest campaign started on July 28th, as seen from our own telemetry. According to data from SimilarWeb, Yahoo!’s website has an estimated 6.9 Billion visits per month making this one of the largest malvertising attacks we have seen recently.

www.yahoo.com | 6.9B monthly visits
news.yahoo.com | 308.50M monthly visits
finance.yahoo.com | 135M monthly visits
sports.yahoo.com | 112.50M monthly visits
celebrity.yahoo.com | 66.60M monthly visits
games.yahoo.com | 43.40M monthly visits

ads.yahoo.com
  -> adslides.rotator.hadj1.adjuggler.net
   -> ch2-34-ia.azurewebsites.net/?ekrug=sewr487giviv93=12dvr4g4
    -> basestyle.org/?id=1423150231&JHRufu346&camp=URhfn67458&click=UEjd856
     -> siege.nohzuespoluprace.net/forums/viewforum.php?f=2sb49&sid=y1yki0

As with the previous reported cases this one also leverages Microsoft Azure websites:

We have observed two main domains being used:

trv0-67sc.azurewebsites.net/?=trv0-s4-67sc
ch2-34-ia.azurewebsites.net/?ekrug=sewr487giviv93=12dvr4g4

The sequence of redirections eventually leads to the Angler Exploit Kit:

We did not collect the payload in this particular campaign although we know that Angler has been dropping a mix of ad fraud (Bedep) and ransomware (CryptoWall).

Malwarebytes Anti-Exploit users were already protected against this attack.

We would like to thank Yahoo! for their prompt response with this incident. Here’s their official statement:

“Yahoo is committed to ensuring that both our advertisers and users have a safe and reliable experience. As soon as we learned of this issue, our team took action and will continue to investigate this issue.

Unfortunately, disruptive ad behavior affects the entire tech industry. Yahoo has a long history of engagement on this issue and is committed to working with our peers to create a secure advertising experience. We’ll continue to ensure the quality and safety of our ads through our automated testing and through the SafeFrame working group, which seeks to protect consumers and publishers from the potential security risks inherent in the online ad ecosystem.”

Malvertising is a silent killer because malicious ads do not require any type of user interaction in order to execute their payload. The mere fact of browsing to a website that has adverts (and most sites, if not all, do) is enough to start the infection chain.

The complexity of the online advertising economy makes it easy for malicious actors to abuse the system and get away with it. It is one of the reasons why we need to work very closely with different industry partners to detect suspicious patterns and react very quickly to halt rogue campaigns.

COMMENTS

Pingback: Yahoo tackles large ‘malvertising’ campaign in its ad network | POPFIX - #Celebrity, #Tech, #Sports News()
Pingback: Tips.com.gr | Yahoo tackles large ‘malvertising’ campaign in its ad network()
Pingback: Yahoo tackles large 'malvertising' campaign in its ad network | BALKANSKI TV KANALI()
Pingback: Yahoo tackles large 'malvertising' campaign in its ad network | Global Wireless Research()
Pingback: Yahoo tackles large 'malvertising' campaign in its ad network - Sys Logic Technology Services, LLC()
Pingback: Yahoo tackles large 'malvertising' campaign in its ad network | IP Pings()
Pingback: Yahoo tackles large ‘malvertising’ campaign in its ad network | Virus / malware / hacking / security news()
Gregory Ryan Norris

Apparently Yahoo changed their tune a bit from when I reported a virus. It was many years ago when I had a yahoo mail account and a worm kept sending messages from my account. They insisted I had a virus on my system despite the facts that 1.) I had run both mbam and eset’s scanners on my system and 2.) the messages were spread when I had no connection to the internet. The messages were also the annoying automated type that tell you that no one actually read the message (like when you email tech support and tell them a device isn’t powering up despite other devices working in the outlet and they reply try moving it to another outlet or plugging something else in to make sure it works…)
Pingback: Yahoo tackles large 'malvertising' campaign in its ad network | fairtechsupport.com()
Pingback: Yahoo! homepage caught spreading CryptoWall malware (again) | LeeFuller.io()
Pingback: Huge malware campaign used Yahoo's ad network | Taiwan NO 01()
Pingback: Huge malware campaign used Yahoo’s ad network | iTruckTV()
Pingback: Huge malware campaign used Yahoo's ad network - Popular Trending | trends.my.id()
Pingback: Huge malware campaign used Yahoo's ad network - Ask a Question and Get Answer Frequently Asked Questions()
Pingback: Huge malware campaign used Yahoo's ad network — Cath News India()
Pingback: Huge malware campaign used Yahoo’s ad network | My Power Health()
Pingback: BlackHat 2015: RiskIQ reports huge spike in malvertising | OFF THE BLOCK NEWS()
Pingback: Huge malware campaign used Yahoo's ad network | insurance()
Pingback: Yahoo tackles large malicious ad campaign in its network | POPFIX - #Celebrity, #Tech, #Sports News()
Pingback: Fast Forward: Flash-Malware, WordPress 4.2.4 und das Scheitern von Google+ - entwickler.de()
Pingback: Хакеры эксплуатируют Flash-уязвимость в рекламе Yahoo! | IT News()
Pingback: Huge malware campaign used Yahoo’s ad network | Thalaippu()
Pingback: Yahoo malvertising attack leaves 900 million at risk of ransomware - seekape()
Pingback: Huge malware campaign used Yahoo’s ad network()
Pingback: Reklamy Yahoo! przekierowywały internautów na CryptoWalla()
Pingback: Yahoo tackles large malicious ad campaign in its network - Brisbane Computer Repairs()
Razor512

And this is why adblock will never go away no matter how much
sites beg. If website owners are not willing to properly vet each ad
that is being displayed, then I will not take the risk of allowing them
through.

This has been accepted as the only solutions for firewalls also.
Remember in the past when firewalls functioned on a black list basis?
they had to be constantly updated and hardly ever worked. They then
moved to a white list method, and now they work well.

For those that use advertisements on their site, if you want them
unblocked by the users, then meet them half way, and prove that you are
properly vetting each ad.

If the ad is for software, prove that you have clicked on it, and installed the software.

Other ads requiring a purchase, the owner should have at least clicked
on the ads and browsed around the site using IE with all plugins
enabled.

If they do not feel comfortable doing that, then they shouldn’t feel comfortable putting the ad on their website.

If they feel they must have the ads,, and do not feel like putting in
the work to ensure that they are safe, then they should have an
agreement where if you get infected with any advertisement, then the
site owner is responsible for paying to fix the issue, as well as
recovering the users data in the case of ransomware.
Pingback: Yahoo tackles large malicious ad campaign in its network – PCWorld | Everyday News Update()
Pingback: A Yahoo! saját rendszerével támadtak | SystPro()
Pingback: Hackers habrían utilizado un()
Pingback: Yahoo ads compromised by hackers for a week in record attack - reFLIPd()
Pingback: Yahoo tackles large ‘malvertising’ campaign in its ad network | Templar Shield()
Pingback: Hackers habrían utilizado una vulnerabilidad de Flash en Yahoo Ads para atacar a millones - Misiongeek()
Pingback: Yahoo ads accidentally spewed malware | News For The Blind()
Pingback: Hackers exploit flash adverts - Breaking Ads()
Pingback: Have you visited Yahoo lately? You may have malware on your computer - **** on Heels()
Pingback: Have you visited Yahoo lately? You may have malware on your computer » Rand0m Stuff()
Pingback: Have you visited Yahoo lately? You may have malware on your computer - DailyScene.comDailyScene.com()
Pingback: Hackers habrían utilizado una vulnerabilidad de Flash en Yahoo Ads para atacar a millones | Blog Textual()
Pingback: Have you visited Yahoo lately? You may have malware on your computer | Bain Daily()
Pingback: Have you visited Yahoo lately? You may have malware on your computer - News()
Pingback: Yahoo Squashes Ads Infected by Malware – PC Magazine | Your Common Newspaper()
Pingback: Yahoo Squashes Ads Infected by Malware | Laptop Charger Canada()
Pingback: Yahoo! website! ads! spaff! CryptoWall! ransomware! AGAIN! | TechDiem.com()
Pingback: Yahoo Squashes Ads Infected by Malware | Laptop Charger USA()
Pingback: Flash… Example of how your employees with old Adobe Flash can unintentionally invite a bad actors in through your firewall… | Defensative()
Pingback: Malvertising Attack On Yahoo Is Another Reminder To Disable Flash | Gizmodo Australia()
Pingback: Yahoo Squashes Ads Infected by Malware - 4PC News()
Pingback: Hackers hijacked Yahoo ads for a full week | The Cyber Law Library()
Pingback: ياهو تعترف بثغرة في اعلاناتها هددت الاف الزوار لموقعها - مركز اخبار مصر | مركز اخبار مصر()
Pingback: Yahoo Ads Network Was Serving Malware | Security Zap()
Pingback: Yahoo opět zasaženo malvertisingem » Kyber bezpečnost()
Pingback: Huge malware campaign used Yahoo’s ad network | GoldenZine()
Pingback: Yahoo users hit by 'malvertising' campaign | New Feeds UK()
Pingback: Yahoo Squashes Ads Infected by Malware | Christmas Hot Deals()
Pingback: No se imagina lo que le pasó a algunos que visitaron el sitio de Yahoo! « Vida Tech « TECHcetera()
Pingback: Yahoo ad network targeted by ‘malvertising’ hackers | M&M Global()
Pingback: Utilizan de nuevo Yahoo! Ads para distribuir malware()
Pingback: Yahoo visitors hit by week-long malware attack | BW:NET | UK & USA VPS Servers | Shared Hosting | UK Dedicated Servers | Domain Registration | Freelance Webhosting()
Pingback: Ad Blockers Are Security Tools at A Geek With Guns()
Pingback: Yahoo Users Hit By Huge Malvertising Attack - SiteProNews()
Pingback: Yahoo visitors hit by week-long malware attack - TechCabin()
Pingback: Hackers habrían utilizado una vulnerabilidad de Flash en Yahoo Ads para atacar a millones | Wizard Security()
Pingback: Yahoo visitors hit by week-long malware attack |()
Pingback: Yahoo visitors hit by week-long malware attack - news plaza()
Pingback: Yahoo Users Hit By Huge Malvertising Attack | Mystical Village()
Pingback: Yahoo visitors hit by week-long malware attack | ALBATARNI()
Pingback: Yahoo Ad Network Targeted In Malvertising Attack Seeking Flash Vulnerability | Advertised Free()
Pingback: Yahoo exposes users to malvertising ... again - IT Manager Daily()
Pingback: Yahoo Website Eclipsed With One of the Largest Malvertising Attack | Poster Waves()
Pingback: ياهو تعترف بثغرة في اعلاناتها هددت الاف الزوار لموقعها | بوابة عمان الرقمية()
Pingback: Yahoo visitors hit by week-long malware attack | Playground || Gopal ||()
Pingback: Yahoo Ad Network Targeted In Malvertising Attack Seeking Flash Vulnerability | Famous Marketing()
DFelton

Yes, Yes a thousand times Yes!

Imagine if TV ads could damage your TV – you think broadcasters could get away with running malicious ads. You want to run code on my pc? Check it first.
Pingback: Malvertising Attack Hits Yaho()
Pingback: AtomTimes » Flash Player nuovo attacco tramite Yahoo()
Pingback: Ad firms are the reason Adobe’s Flash still exists—despite its many, many security flaws - Quartz()
Pingback: Yahoo: Schadcode mehrere Tage lang über Werbenetzwerk verteilt - Servaholics()
Pingback: Yahoo Malvertising Attack Points to More Flash Problems | Forensic News()
Pingback: Engadget | Technology News, Advice and Features | Super Deal Shopper()
AbsolutoCaos

TV ads can damage your tv. One example is when the broadcaster makes certain ads louder then the rest. It may damage your tv speakers.
Who knows, with the advancement in the smart tv’s….
Pingback: Huge malware campaign used Yahoo's ad network | Super Deal Shopper()
Pingback: Weekly Industry Roundup()
Pingback: Yahoo Ads Flash Vulnerability Been Exploited By Hackers — Security Gladiators()
Pingback: [MALWAREBYTES] Ιός μέσω των διαφημίσεων της Yahoo μολύνει εκατομμύρια υπολογιστές | S@fer-Internet.Gr()
Pingback: Yahoo Squashes Ads Infected by Malware - Provider Technology()
tjpc3 The Redstoner

I believe the sites and the advertisement networks should all be held responsible for damage due to a malicious ad. I do have a solution however. Make the Ad networks thoroughly check every ad that gets submitted. Apple already does this with the App Store so I think they should do it with iAd and then expand the iAd network to desktop webpages and not just mobile apps.
Psyanic

While I feel similarly that websites should be held responsible for the ads on their sites, the scenario you present is flawed. From the 3rd paragraph, you seem to indicate that if websites properly vetted each ad, you would then be willing to turn off adblock, thus restoring revenue to the sites you visit when you are presented with those ads. But how many of the millions of websites would have to properly vet their ads before you would turn yours off? Just the “big” sites or all the sites in the world? Would you constantly switch it off and on based on the site you were visiting? The reason I ask, is that most people I know that have been pushed to the point where they run adblock, probably won’t turn it back on even if 95% of the sites in the world vetted their ads, and they won’t want the added headache of keeping track of which sites do/don’t vet their ads. Additionally, they have grown accustomed to not seeing ads at all.
Razor512

Adblock can be turned off on a per site basis. If a site can properly vet their ads, then I will white list them.
Psyanic

Then we are in agreement my friend.
Pingback: Yahoo Squashes Ads Infected by Malware | WebSetNet()
Pingback: BlackHat 2015: RiskIQ reports huge spike in malvertising | Industry of It()
Pingback: SSL Malvertising Campaign Continues | Malwarebytes Unpacked()
Pingback: Yahoo Ad Network Targeted In Malvertising Attack Seeking Flash Vulnerability - Binary Option News()
Karen Harper

How do you report to yahoo that there is ad malware on their site as I tried this morning and could not find a way to report having just been attacked from their homepage # luckily had adequate cover from antivirus software, otherwise would have been in trouble!
Pingback: SSL Malvertising Campaign Continues | vyagers()
Pingback: My browser visited Weather.com and all I got was this lousy malware (Updated) | feedas TNA()
Pingback: Why I won’t browse the web without Adblockers Part XXIII: “I went to Weather.Com and all I got was this lousy malware” | Constantinople (Not Istanbul)()
Pingback: Yahoo Ads Infected With “Malvertisements” | Unicorn Riot()
Pingback: Gone in a Flash? HTML5 Leads the Way for Rich Ads | DAC Group()
Pingback: Hackers Exploit ‘Flash’ Vulnerability in Yahoo Ads - Techwebies()
Pingback: Stop ad injections with HTTPS connections or a VPN | High Tech News()
Mischief

10’s of hours to fix HP5660 printer. Finally, resorted to on-line, help. Twice!! first tech could not fix it.second tech did. Never thought Manufacturer’s web/live help was risky. WRONG. Received a home call from “Jenny” two days later. She wanted to help “Sue” fix her machine. Sue was the name used on live chat!! What part of my computer needs fixing, I asked? “Jenny” hung up.
The hack (HP access into my computer) was clear, name used Sue, knew machine down, knowledge of phone number. Second download said microsoft ……. including a green check at the end. Asked why the microsoft site was not accessed? We have our own copy…..yeah right.

Very angry at HP’s trash wasting my hours. Printer took a week to work.
Angrier at live fixing of my machine opened a direct line to hack. (malware + Eset didn’t pick it up)
HP should find out why their software is compromised. Why the allowance of tech entry through their website.(ME)..allowed hackers into the guts of my machine also? Since the malware is not detectable..
I am thinking of rebuilding the machine (chip rebuild). Find out what’s in my machine and HP should fix it. Hackers are getting good to get past me. Sigh…
Pingback: Yahoo Ad Network Targeted In Malvertising Attack Seeking Flash Vulnerability - Binary Option News | Binary Option News()
Pingback: LUXURY ART | Huge malware campaign used Yahoo's ad network()
Pingback: La fin de Flash ? - Mistral Consulting()
Pingback: The end of Flash - Mistral Consulting()
Pingback: The End Of An Advertising Era: The End Of Flash | Dx3 Digest()
Pingback: Yahoo tackles large malicious ad campaign in its network | The Patriot()
Pingback: Angler Exploit Kit Strikes on MSN.com via Malvertising Campaign | Malwarebytes Unpacked()
Pingback: Why advertising can’t quit Flash - Webnesday()
Pingback: My browser visited Drudgereport and all I got was this lousy malware (Updated) | Ad Jet()
Pingback: Stop ad injections with HTTPS connections or a VPN - Q Wealth()
Pingback: Yahoo tackles large ‘malvertising’ campaign in its ad network | سيار - syiar()
Pingback: SSL Malvertising Campaign Targets Top Adult Sites | Malwarebytes Unpacked()
Pingback: Detonation | Riding Free()
Pingback: SSL Malvertising Campaign Targets Top Adult Sites - SecuritySlagsSecuritySlags()
Pingback: SSL Malvertising แคมเปญใหม่ พุ่งเป้าเว็บไซต์สำหรับผู้ใหญ่ | TechTalkThai()
Pingback: BILD Dir deine Meinung zu Adblockern - botfrei Blog()
Pingback: Malvertising Hits ‘The Daily Mail,’ One of the Biggest News Sites on the Web - Patriot Rising()
Pingback: Top 5 Recommendations to Avoid Malvertising()
Pingback: Advertising: Backdoor for Malware | Inside PageFair()
Pingback: You can be Hacked By Viewing a Webpage (Blog Post #6) | Cyberfluency()
Pingback: Why Everyone Needs Protection Against Malware()
Pingback: Hackers Exploit ‘Flash’ Vulnerability in Yahoo Ads | litelesite()
Pingback: Yahoo tackles big 'malvertising' campaign in its ad network | Wiki News Tech | Tech Hub For Techgig()
Pingback: Engadget Today » Hacker Lexicon: Malvertising, the Hack That Infects Computers Without a Click()
Pingback: Hacker Lexicon: Malvertising, the Hack That Infects Computers Without a Click | S4mpl3d()
Pingback: Hacker Lexicon: Malvertising, the Hack That Infects Computers Without a Click | Gadgetleader()
Pingback: Hacker Lexicon: Malvertising, the Hack That Infects Computers Without a Click (@wired) | OSINFO()
Pingback: Hacker Lexicon: Malvertising, the Hack That Infects Computers Without a Click - New Egypt()
Pingback: You say promoting, I say block that malware | Xenero()
Pingback: You say advertising, I say block that malware – ○○○○●○○○()
Pingback: You say promoting, I say block that malware | Word Wide News()
Pingback: You say advertising, I say block that malware | Lindauer Mac Consulting()
Pingback: Forbes makes visitors turn off their ad blockers, then infects their computers with malware – Enterprise Security Professional()
Pingback: Malvertising: what is it and how to browse safely - Security Curated()
Pingback: The state of the web 2016 - mobiForge()
Pingback: Ad Blocking: A Primer | TechCrunch()
Pingback: Ad Blocking: A Primer – SHOPATO()
Pingback: Ad Blocking: A Primer | KWOTABLE()
Pingback: Ad Blocking: A Primer | Gulf News Today()
Pingback: Ad Blocking: A Primer - Press TV News()
Pingback: Ad Blocking: A Primer – WeeklyTimesNews.com()
Pingback: Ad Blocking: A Primer -()
Pingback: Ad Blocking: A Primer » Peepstalks!()
Pingback: Ad Blocking: A Primer - Cool Tech Reviews()
Pingback: Ad Blocking: A Primer | mango outlet()
Pingback: Ad Blocking: A Primer | This Viral()
Pingback: Ad Blocking: A Primer | Rep News()
Pingback: Ad Blocking: A Primer | Viral World news()
Pingback: Ad Blocking: A Primer – Nigerian Herald()
Pingback: Ad Blocking: A Primer | Feedlesticks()
Pingback: Ad Blocking: A Primer | The H2O Standard()
Pingback: Ad Blocking: A Primer | World Updates()
Pingback: Ad Blocking: A Primer – pulsebell()
Pingback: » Ad Blocking: A Primer()
Pingback: Ad Blocking: A Primer | AkimoLux.com()
Pingback: Ad Blocking: A Primer | EuroMarket News()
Pingback: Ad Blocking: A Primer | TechPapa()
Pingback: Ad Blocking: A Primer • AppMarsh()
Pingback: 広告ブロック入門 | TechCrunch Japan()
Pingback: 広告ブロック入門 | まっちゃ by MIS()
Pingback: Hacker Lexicon: Malvertising, the Hack That Infects Computers Without a Click - Meta Thrunks Security Blog()
Pingback: Silencing dissent? IAB blocks Adblock Plus from internet advertising conference - Micro Penguin()
Pingback: Silencing dissent? IAB blocks Adblock Plus from internet advertising conference – Computerworld()
Pingback: Silencing dissent? IAB blocks Adblock Plus from internet advertising conference | Website Master Info()
Pingback: Silencing dissent? IAB blocks Adblock Plus from internet advertising conference | Tech News - Latest Tech, Gadgets & Science()
Pingback: Silencing dissent? IAB blocks Adblock Plus from internet advertising conference | All About Tech in News()
Pingback: Silencing dissent? IAB blocks Adblock Plus from internet advertising conference - AdTrustMedia Blog()
Pingback: 广告拦截：广告业美好未来的奠基者 | TechCrunch 中国()
Pingback: 广告拦截：广告业美好未来的奠基者 | 23Seed()
App Marsh

lol. Is this situation registered officially ?
FatCheesesteakers

A Yahoo ad just downloaded a malware fake flash player for me. eecohweb1 dot com was the host site.
MadDemon64

Ditto. I’m running every virus scan I have to make sure nothing got in.

RELATED ARTICLES

Exploits | Threat analysis

Citadel: a cyber-criminal’s ultimate weapon?

November 5, 2012 - In old times, a citadel was a fortress used as the last line of defense. For cyber criminals it is a powerful and state-of-the-art toolkit to both distribute malware and manage infected computers (bots). Citadel is an offspring of the (too) popular Zeus crimekit whose main goal is to steal banking credentials by capturing keystrokes...

CONTINUE READING No Comments

Exploits | Threat analysis

Web Exploits: a bright future ahead

January 2, 2013 - The majority of computers get infected from visiting a specially crafted webpage that exploits one or multiple software vulnerabilities. It could be by clicking a link within an email or simply browsing the net, and it happens silently without any user interaction whatsoever. Vulnerabilities are flaws that exist in various programs and that allow someone to...

CONTINUE READING 2 Comments

Exploits | Threat analysis

Zero-Day Java vulnerability wreaks havoc on computers worldwide

January 14, 2013 - Update (1/14/2013) Oracle has issued an emergency patch to be shipped with version 7 update 11. While we are pleased to see a quick turnaround time, we stand by our initial recommendations to disable Java in your browser. This is still the most exploited piece of software and whether it is patched or not still unnecessarily puts you...

CONTINUE READING 1 Comment

Exploits | Threat analysis

New Exploit Kit, Ransomware and AV evasion

March 14, 2013 - Ransomware is still going strong and infecting countless PCs. We happened to stumble upon an interesting sample part of the Urausy family which bypassed detection on all major antivirus products for almost an entire day before slowly being detected. In this post we will give some information on its background (where it came from) and...

CONTINUE READING No Comments

Exploits | Threat analysis

Redkit Exploit Kit does the splits

April 5, 2013 - Exploit Kit authors must really love Java . Not only is it ripe with vulnerabilities but its own language provides a great platform to write and deliver malware in different ways. We are used to seeing encrypted payloads (XOR, AES encryption), applets containing both the exploit itself and the binary payload. Today we will talk...

CONTINUE READING No Comments

ABOUT THE AUTHOR

Jérôme Segura
Lead Malware Intelligence Analyst

Security researcher with a focus on exploits, malvertising and fraud.

CATEGORIES

101 Cybercrime Malwarebytes news PUP Security world

SEARCH LABS

TOP POSTS

Large Malvertising Campaign Takes on Yahoo!

Citadel: a cyber-criminal’s ultimate weapon?

Web Exploits: a bright future ahead

Zero-Day Java vulnerability wreaks havoc on computers worldwide

New Exploit Kit, Ransomware and AV evasion

Redkit Exploit Kit does the splits

Cybersecurity info you can’t do without