June and July have set new records for malvertising attacks. We have just uncovered a large scale attack abusing Yahoo!’s own ad network.
As soon as we detected the malicious activity, we notified Yahoo! and we are pleased to report that they took immediate action to stop the issue. The campaign is no longer active at the time of publishing this blog.
This latest campaign started on July 28th, as seen from our own telemetry. According to data from SimilarWeb, Yahoo!’s website has an estimated 6.9 Billion visits per month making this one of the largest malvertising attacks we have seen recently.
- www.yahoo.com | 6.9B monthly visits
- news.yahoo.com | 308.50M monthly visits
- finance.yahoo.com | 135M monthly visits
- sports.yahoo.com | 112.50M monthly visits
- celebrity.yahoo.com | 66.60M monthly visits
- games.yahoo.com | 43.40M monthly visits
ads.yahoo.com -> adslides.rotator.hadj1.adjuggler.net -> ch2-34-ia.azurewebsites.net/?ekrug=sewr487giviv93=12dvr4g4 -> basestyle.org/?id=1423150231&JHRufu346&camp=URhfn67458&click=UEjd856 -> siege.nohzuespoluprace.net/forums/viewforum.php?f=2sb49&sid=y1yki0
As with the previous reported cases this one also leverages Microsoft Azure websites:
We have observed two main domains being used:
- trv0-67sc.azurewebsites.net/?=trv0-s4-67sc
- ch2-34-ia.azurewebsites.net/?ekrug=sewr487giviv93=12dvr4g4
The sequence of redirections eventually leads to the Angler Exploit Kit:
We did not collect the payload in this particular campaign although we know that Angler has been dropping a mix of ad fraud (Bedep) and ransomware (CryptoWall).
Malwarebytes Anti-Exploit users were already protected against this attack.
We would like to thank Yahoo! for their prompt response with this incident. Here’s their official statement:
“Yahoo is committed to ensuring that both our advertisers and users have a safe and reliable experience. As soon as we learned of this issue, our team took action and will continue to investigate this issue.
Unfortunately, disruptive ad behavior affects the entire tech industry. Yahoo has a long history of engagement on this issue and is committed to working with our peers to create a secure advertising experience. We’ll continue to ensure the quality and safety of our ads through our automated testing and through the SafeFrame working group, which seeks to protect consumers and publishers from the potential security risks inherent in the online ad ecosystem.”
Malvertising is a silent killer because malicious ads do not require any type of user interaction in order to execute their payload. The mere fact of browsing to a website that has adverts (and most sites, if not all, do) is enough to start the infection chain.
The complexity of the online advertising economy makes it easy for malicious actors to abuse the system and get away with it. It is one of the reasons why we need to work very closely with different industry partners to detect suspicious patterns and react very quickly to halt rogue campaigns.
Apparently Yahoo changed their tune a bit from when I reported a virus. It was many years ago when I had a yahoo mail account and a worm kept sending messages from my account. They insisted I had a virus on my system despite the facts that 1.) I had run both mbam and eset’s scanners on my system and 2.) the messages were spread when I had no connection to the internet. The messages were also the annoying automated type that tell you that no one actually read the message (like when you email tech support and tell them a device isn’t powering up despite other devices working in the outlet and they reply try moving it to another outlet or plugging something else in to make sure it works…)
And this is why adblock will never go away no matter how much
sites beg. If website owners are not willing to properly vet each ad
that is being displayed, then I will not take the risk of allowing them
through.
This has been accepted as the only solutions for firewalls also.
Remember in the past when firewalls functioned on a black list basis?
they had to be constantly updated and hardly ever worked. They then
moved to a white list method, and now they work well.
For those that use advertisements on their site, if you want them
unblocked by the users, then meet them half way, and prove that you are
properly vetting each ad.
If the ad is for software, prove that you have clicked on it, and installed the software.
Other ads requiring a purchase, the owner should have at least clicked
on the ads and browsed around the site using IE with all plugins
enabled.
If they do not feel comfortable doing that, then they shouldn’t feel comfortable putting the ad on their website.
If they feel they must have the ads,, and do not feel like putting in
the work to ensure that they are safe, then they should have an
agreement where if you get infected with any advertisement, then the
site owner is responsible for paying to fix the issue, as well as
recovering the users data in the case of ransomware.
Yes, Yes a thousand times Yes!
Imagine if TV ads could damage your TV – you think broadcasters could get away with running malicious ads. You want to run code on my pc? Check it first.
TV ads can damage your tv. One example is when the broadcaster makes certain ads louder then the rest. It may damage your tv speakers.
Who knows, with the advancement in the smart tv’s….