By now, most web users know they should avoid sketchy websites that could give them viruses. But, as Yahoo users learned this week, they can be vulnerable anywhere.
On Monday, a security firm that tracks malware attacks discovered that Yahoo’s ad network was used to distribute large quantities of malware to unsuspecting site visitors on owned properties like Yahoo.com, Yahoo Sports and Yahoo News. As soon as Yahoo was made aware of the problem, it intercepted the bad ads, but not before thousands of users were exposed.
The ads made use of vulnerabilities in Flash to infect users’ computers, meaning that users only had to see the ad — not interact with it — to be exposed to infection. The ads came with a mixed payload of ransomware, which locks a user’s computer until they pay a fee (often under the guise of required maintenance or anti-virus protection), and ad fraud malware, which hijacks a users’ browser and uses it to visit websites without their knowledge, in order to generate fraudulent ad impressions that are then sold to advertisers.
Malwarebytes, the security firm that caught on to the attack, said the malicious ad campaign was launched on July 28, though there may have been earlier campaigns by the same cybercriminals that weren’t detected. There’s no way to know for sure how many Yahoo visitors were exposed to malicious ads, or what fraction of those exposed were successfully infected. It’s likely only a small fraction of the 6.9 billion monthly visitors to Yahoo’s sites. Nonetheless, Malwarebytes says it’s the largest network that it has seen used for this kind of attack.
In a statement to Business Insider, Yahoo claimed the multiple press reports about the incident “grossly misrepresented” the scale of the attack. “Yahoo is committed to ensuring that both our advertisers and users have a safe and reliable experience,” a spokesperson wrote. “As soon as we learned of this issue, our team took action to block this advertiser from our network. We take all potential security threats seriously.”
The attack has shone a light on a growing problem that affects advertisers, publishers, and especially web users, and not just those in the backwaters of the web. According to multiple security firms, the number of malicious ad attacks has grown substantially over the past year. Just this week, unrelated to the Yahoo attack, RiskIQ reported a 260% increase in malvertising attacks between the first half of 2014 and the same quarter this year. Meanwhile, the number of unique malicious ads in circulation each month grew 60% (80,000 in June 2015 vs. 50,000 in June 2014).
In its report, RiskIQ blamed the rise of programmatic advertising, and the anonymity that ad buyers and sellers are permitted on exchanges and networks, for making it easier for cybercriminals to distribute malware at scale. In the past 18 months, security firms have found cybercriminals using networks operated by major tech players like Google, AOL, and The Rubicon Project to distribute compromised ads to publishers’ sites.
Malwarebytes’ senior security researcher Jerome Segura also pointed to the relative ease of buying ad space on networks and ad exchanges in a Q&A with Ad Age about the Yahoo attack. “There is not really a very strong barrier to entry for advertisers to start going on to ad platforms and pushing their ads,” he said. “One of the reasons is [cybercriminals] are willing to give money to the ad networks to run the ads, like any normal advertiser, so it is in the ad networks’ interest to have the advertisers come and upload their creative.”
This is not the first time so-called “malvertising” has showed up on Yahoo sites. Last October, Yahoo’s finance and sports sites were part of a similar large-scale malware attack, along with The Atlantic and a real estate site owned by AOL. Yahoo Ads was also the subject of a major malware attack from December 2013 to January 2014.
The security firm that identified the October attack, Proofpoint, estimated the attackers made $25,000 off the ransomware they were able to distribute through exchanges operated by The Rubicon Project, OpenX and the Yahoo Ad Exchange. The hackers used the same ransomware package, Cryptowall, as was used in the attack identified this week.
Yahoo has since shuttered its third-party ad exchange, and now only uses its exchange to sell ads on sites that it owns and operates. That effectively stops bad actors from selling fake ads on its network, since no one but Yahoo can sell ads there, but it doesn’t stop fraudsters from buying legitimate ad impressions and using them to attack users. Fraudsters can use such attacks to infect more computers with botnet software, increasing the amount of fake ad traffic they’re able to generate to scam advertisers with.
Malwarebytes’ Segura told Ad Age top-tier networks are not immune to malware, but advised advertisers and publishers to favour trusted names like Yahoo anyway, since they’re attacked less often and have better procedures in place to deal with attacks. “There’s no such thing as no incident when it comes to security,” he said. “It’s about the frequency but also the duration of an incident. So by going with a major ad network, you know that they’re more likely to respond in a timely manner. That’s what really matters, I think.”
