Yahoo's ad network was exploited to deliver malware to users, using a drive-by exploit capable of infecting victims merely by them visiting affected Web pages. Ad networks have been attacked similarly in the past, enough that the term "malvertising" was coined to describe the activity.
High-profile ad networks are a tempting target for hackers since the potential reach for malware victims is greatly increased, but smaller networks and even standalone ad servers are common targets. This also wasn't the first malvertising incident for Yahoo - its YieldManager ad network was abused in 2010 to deliver malware.
This most recent attack appeared to target Windows users in Europe, primarily the UK, France and Romania, via ads delivered to Yahoo Mail pages, and although the infected ads bypassed Yahoo's filters, the company moved quickly to remove the malware. It is not yet known how many users were infected, but Fox-IT, the researchers that broke the news of the attack, estimated that 27 000 users could have been infected for every hour the malware was active.
The attack used the Magnitude Exploit Kit, a malware delivery tool that has been growing in popularity since the widely used BlackHole Exploit Kit's author was arrested last October. Russian authorities arrested "Paunch", putting an end to the ongoing development of the BlackHole kit - the project had been well-funded and actively developed to take advantage of new vulnerabilities.
Magnitude, like similar kits, offers a variety of exploit code, which is delivered to targets to ensure a wider audience can be infected. Once an exploit has fired, further Trojan software, such as the Zeus botnet agent, can be remotely installed. The Magnitude kit includes a pair of Java vulnerabilities, an Internet Explorer attack, and an older TrueType exploit - no zero-day vulnerabilities yet.
With its previous malvertising breach, this will be a blow to Yahoo's credibility, especially since it followed on the heels of new CEO Marissa Mayer's public declaration of efforts to improve trust in the wake of the Prism scandal.
Web site operators who prefer not to use third-party advertising can opt for off-the-shelf ad serving software like OpenX, but although the audience of potential victims is smaller, these have been a frequent target in the past (to the point where OpenX gave up and closed its SaaS ad serving product OnRamp), with exploits allowing attackers to add malware modules to ensure that exploit code is delivered alongside ads.
The next big target for attackers could be mobile ad networks, with weaknesses already identified in mobile advertising frameworks, which could allow attackers to deliver malicious code or steal information from mobile devices running ad-supported apps.
Share