Yahoo’s ad network suffered an attack that lasted for almost a week, Malwarebytes reported mid-day Monday.Malwarebytes earlier notified Yahoo of the attacks, which began July 28.
Yahoo had stopped them by the time the report was published, Malwarebytes said.
The attackers used the Angler Exploit Kit, described as highly sophisticated, to redirect visitors to ad sites on two Microsoft Azure domains.
Although it did not collect the payload in this campaign, Malwarebytes said that Angler drops a mix of ad fraud — Bedep — and ransomware in the form of the Cryptowall trojan.
Yahoo blocked the advertiser responsible from its network “as soon as we learned of this issue,” Yahoo said in a statement provided to the E-Commerce Times by spokesperson Margot Littlehale.
The attackers redirected people clicking on ads to domains run by Microsoft’s Azure cloud service because of Azure’s security, suggested Jerome Segura, senior security researcher at Malwarebytes Labs.
The attackers wanted to “leverage SSL connections offered by Azure, rendering all traffic to that website encrypted, thus making it much more difficult for us to retrace the full infection flow,” Segura said.
That figures — the Angler exploit kit uses various deobfuscation routines, antivirus detection, virtualization detection and scrambled encrypted URL paths. It runs dropped malware from memory without having to write to the hard drive, making it extremely difficult for traditional antivirus technologies to detect.
Microsoft Azure is the leader in terms of performance, according to Nasuni’s third biennial State of Cloud Provider report, published in May.
Speed? What Speed?
Yahoo’s claim that it promptly responded to the threat may be a matter of perspective.
“We got in touch with Yahoo very quickly after the discovery,” said Jerome Segura, senior security researcher at Malwarebytes.
Why didn’t Yahoo block the malware as soon as it was informed?
“Before shutting down any advertiser, the ad network needs to review the evidence and make the right call,” Segura told the E-Commerce Times.
This “takes a bit of time,” he pointed out — “and in this case, the advertiser was legitimate, so that alone made it more difficult to detect the malicious behavior in the first place.”
Time After Time
Those behind this latest attack in June launched other massive malvertising attacks, Segura said, targeting large news and media websites.
Facebook, CNN Indonesia, and the official websites of Prague Airport and RTL Television Croatia were among those attacked, according to Raytheon/Websense.
The Growth of Malvertising
Malvertising, or using ads as the vector for cyberattacks, is gaining ground among hackers.
Yahoo and AOL users were hit by malvertising in January 2014, and Yahoo was hit again in October.
Google’s DoubleClick ad network was hit in September 2014, and again in January of this year.
Malvertisements between January and June were 260 percent more than during the same period last year, and the number of unique malvertisements jumped 60 percent year over year, RiskIQ said..
Mobile apps are the most fruitful area for these attacks, RiskIQ said.
However, the attack on Yahoo this time targeted desktops, most likely in North America, Malwarebytes’ Segura said.
Beating the Malvertising Demons
Consumers and corporate users are affected equally by malvertising, “thanks to the ability of rogue advertisers to target their victims with unique precision,” Segura said.
Users must keep their computers up to date, enable “Click to Play” for the Adobe Flash Player, and use defense in depth, he recomended.
Wait, what? Adobe again? Yes — according to Segura, it’s the “No. 1 vector of infections.”