In a stunning announcement Yahoo! reported it has shut down a massive malware campaign infecting billions of visitors to its websites. Some experts believe the website infected with the malware was visited as many as 300,000 times and hour.
Malwarebytes discovered the scheme which ran from July 28th through August 3rd and used Yahoo!’s ad network to infect user’s computers with malware used for advertising.
Malvertising is a scheme where hackers trick automated advertising networks into delivering malware. The trick is becoming more and more common. This malware does not require the user to do anything to become infected. Simply browsing a website is enough to get infected. This is sometimes called a drive-by download.
Yahoo! and other big name search engines are prime targets of malvertisers because of the hundred of millions of ads they deliver daily through their advertising platforms
Jerome Segura, Senior Security Researcher at Malwarebytes said, “Malvertising is the silent killer because its does not require any type of user interaction in order to execute their payload.” Segura also warned that the victims of the attack could also have been infected with ransomware.
For nearly a week Yahoo! sites were delivering malicious ads through its ads.yahoo.com. Yahoo! users were re-directed to several different domains that exposed them to an exploit known as ‘Angler.’ According to Segura some of the sites that users were re-directed to were hosted by Microsoft’s Azure a cloud computing platform.
Security experts also revealed that another exploit named ‘RIG’ was also infecting computers at the rate of 27,000 a day. Both exploits are related to the numerous flaws recently revealed in the Adobe Flash Player software. The software is found on millions of computers to run video and games on websites.
This is not he first time that attackers have used Yahoo!’s advertising network to infect users. Last year the network was used to distribute a range of malware including a Bitcoin miner.
Malwarebyes claimed they notified Yahoo! of the situation and the company took immediate action and the exploit is no longer active. Yahoo issued the following statement:
“Unfortunately, disruptive ad behavior affects the entire tech industry. Yahoo has a long history of engagement on this issue and is committed to working with our peers to create a secure advertising experience. We’ll continue to ensure the quality and safety of our ads through our automated testing and through the SafeFrame working group, which seeks to protect consumers and publishers from the potential security risks inherent in the online ad ecosystem.”
Malvertising attacks have been steadily increasing because they are so difficult to stop. According to RiskIQ attacks increased in the first half of this year at the rate of 260 percent.
James Pleger, Director of Research for RiskIQ stated ,” The major increase we have seen in the number of malvertisements over the past 48 months confirms that digital ads have become the preferred methods for distributing malware.”
Breaking It Down
If you have a good anti-virus/anti-malware software on you computer you may be safe, but just maybe. Yo may want to visit Yahoos safety website that describes how to remove this malware if you have it. But again, this may or may not work. I am not sure how it has been since this website was updated. Update you anti-virus software and all your software just to be sure.
A drive-by download is extremely dangerous. All you have to do is visit the website and you got the virus or malware. Its nice to have an anti-virus that blocks you from even going to that website. If yours doesn’t do that then switch. NOW!
Google recently updated its search engine to warn user of suspicious website before you get t them.
This is about as serous as it gets. Yahoo! is a huge company with billions of websites listed in their search results and I’d guess trillions of ads delivered annually. Imagine if a bad actor had figured out a way to distribute ransomware through the search engine. It could have been the greatest calamity in Internet history. Don’t laugh. It could still happen.
All I can say at this point is to make sure you update your anti-virus frequently. Better yet, set it to update automatically. But even that may not be enough. Take the time to search RIG exploit removal tool and Angler exploit removal kit. Take my advice.