Yahoo! ads! caught! spreading! CryptoWall! ransomware! AGAIN!

library
crime | hacking | security

Yahoo!‘s ad network is still being used to spread ransomware to Windows PCs a year after the last big outbreak.

Adverts served on the Yahoo! homepage as well as the Yahoo! News, Sports, Celebrity, Finance, and Games websites, led to sites hosting malicious code that infected vulnerable systems, according to Malwarebytes. Attacked machines were injected with adware or the infamous CryptoWall ransomware, we’re told.

CryptoWall works by encrypting all the documents it can find on a computer system, and demands a ransom to restore the data. The FBI says victims have shelled out millions of dollars to decrypt and recover their files.

Yahoo! said these latest malicious ads have been pulled from its network. “As soon as we learned of this issue, our team took action and will continue to investigate this issue,” Yahoo! said in a statement to The Register.

Malwarebytes says this fresh batch of dodgy adverts ran on the Yahoo! network between July 28 and August 3, which was when Yahoo! pulled the malicious content.

Jerome Segura, senior security researcher for Malwarebytes, told The Reg that the use of encryption on both the exploit end and the malware installation makes detection far more difficult.

Segura explained that netizens are redirected to the attack page via an encrypted HTTPS connection. Additionally, the Angler exploit kit uses encryption to scramble its malware downloads from antivirus software.

“That we can’t see where the redirect is happening and can’t pinpoint where it is makes it more difficult,” he explained. “Any kind of system that monitors at the network level would only see a blurb of data and nothing like a binary.”

According to Malwarebytes, the ads themselves did not contain any bad code, but rather referred traffic to another page hosted on a Microsoft Azure site. That page then redirected to another domain that launched the Angler exploit kit on victims specifically in North America.

The kit exploits security holes in Adobe Flash to inject either the Bedep adware package or the CryptoWall ransomware onto vulnerable Windows systems. Security patches are available for the exploited flaws, so up-to-date computers were not at risk.

Segura suggests that users either disable Flash or set the player on click-to-play mode so potentially harmful files are not loaded automatically.

The Purple Palace noted that such malware attacks are an all-too-common occurrence in the advertising space, a point Segura confirmed. Because so many online ads are run through various third-party networks and providers, a criminal can slip advertising code into an otherwise legitimate piece of advertising and infect thousands of pages without the site owners realizing anything is amiss.

“They are very smart in disguising themselves, changing their ads at the last minute, stuff like that,” said Segura. “If there was a simple answer, whoever had it would be very rich.” ®