Malwarebytes researchers recently uncovered what they describe as a large scale attack on Yahoo’s advertising network.
The attack started on July 28, 2015. It redirected victims to the Angler Exploit Kit, which has previously dropped a mix of Bedep adware and CryptoWall ransomware.
“As soon as we detected the malicious activity, we notified Yahoo! and we are pleased to report that they took immediate action to stop the issue,” Malwarebytes senior security researcher Jerome Segura wrote in a blog post detailing the attack. “The campaign is no longer active at the time of publishing this blog.”
“Malvertising is a silent killer because malicious ads do not require any type of user interaction in order to execute their payload,” Segura noted. “The mere fact of browsing to a website that has adverts (and most sites, if not all, do) is enough to start the infection chain.”
In a statement, Yahoo said, “Unfortunately, disruptive ad behavior affects the entire tech industry. Yahoo has a long history of engagement on this issue and is committed to working with our peers to create a secure advertising experience. We’ll continue to ensure the quality and safety of our ads through our automated testing and through the SafeFrame working group, which seeks to protect consumers and publishers from the potential security risks inherent in the online ad ecosystem.”
There’s some dispute about the size of the attack — while Segura noted that SimilarWeb’s traffic ranking reports that yahoo.com sees 6.9 billion visits per month, “making this one of the largest malvertising attacks we have seen recently,” a Yahoo spokeswoman told the New York Times that “the scale of the attack was grossly misrepresented in initial media reports, and we continue to investigate the issue.”
In a similar attack in January 2014, Fox-IT researchers estimated that malicious ads on Yahoo’s home page were infecting approximately 27,000 visitors per hour.
STEALTHbits vice president of product management Brian Vecci told eSecurity Planet by email that the Yahoo attack should serve as a reminder that cyber attacks can come from anywhere, in any form. “What’s interesting here isn’t that a piece of technology — in this case an online advertising network — has been compromised,” he said. “Businesses and consumers should already be wary of any code on any web page, and should be running up-to-date browsers and anti-malware software on their clients anyway.”
“What’s more interesting here is the potential damage this might do to Yahoo! Advertising as a trusted provider,” Vecci said. “Online advertising has increasingly relied on the combination of intelligent targeting and utility: show useful information to the right people to make the advertising worthwhile. If the network itself isn’t trusted, however, online advertisers aren’t going to bother since no matter how relevant or useful the message is, the messenger won’t be trusted.”
In response to last year’s attack on Yahoo’s ad network, this eSecurity Planet article offered advice on fighting the “malvertising” threat.