Cybercriminals are utilising Yahoo's own ad network to deliver malware to hundreds of millions of visitors to some of the internet giant's most popular websites. Hugely popular websites including Yahoo.com itself, as well as the portal's sports, finance, celebrity and games websites have been hit by one of the biggest malvertising campaigns seen in recent years.
The criminals behind the on-going campaign are using the compromised network to infect victims's PCs using the Angler exploit kit, which is the most sophisticated exploit kit currently used by cybercriminals. The campaign, which began on 28 July, was discovered by researchers at Malwarebytes, who disclosed the issue to Yahoo.
In a statement emailed to IBTimes UK, a Yahoo spokesperson said:
"Yahoo is committed to ensuring that both our advertisers and users have a safe and reliable experience. As soon as we learned of this issue, our team took action to block this advertiser from our network. We take all potential security threats seriously. With that said, the scale of the attack was grossly misrepresented in initial media reports and we continue to investigate the issue."
Yahoo is currently ranked as the fifth most popular website in the world according to Alexa.
According to a report from Jérôme Segura, senior security researcher at Malwarebytes, Yahoo's websites have "an estimated 6.9 billion visits per month, making this one of the largest malvertising attacks we have seen recently".
Malware and ransomware
If a user clicks on one of the affected ads, they would typically be redirected through a number of other sites before landing on a page hosting the Angler Exploit Kit which would attempt to silently download malware onto the victim's computer.
While Malwarebytes didn't download "the payload" in this case, Segura said that typically these campaigns look to deliver two types of threat. The first is malware like Bedep, which is used in ad-fraud campaigns and opens up victims' systems to further infection by subsequently downloading pieces of malware. The second is ransomware like CryptoWall or CryptoLocker which encrypts a users hard drive and demands a ransom before unlocking it.
It is unclear how many people have been infected by the malware, with Malwarebytes saying that only the gang behind the attack would be aware of these figures.
Yahoo's websites have been linked to some recent high-profile malvertising campaigns but previously it was done through third-party ad networks like adtech and e-planning which had been compromised.
It is unclear if the same criminals are responsible for this latest campaign as those who were behind recent similar campaigns, including one spotted by malware defence company Cyphort Labs which affected AOL's adtech advertising system, which in turn affected websites including The Huffington Post.
A month earlier, a similar campaign was spotted by Invincea which found that websites like Yahoo, CBS Sports, eBay UK, Verizon FiOS, Lance Armstrong's Livestrong NGO, and Perez Hilton's gossip blog were infected.