Angler Exploit Kit used in Yahoo malvertising campaign

Aug 5, 2015 07:48 GMT  ·  By

Yahoo!'s ads business seems to be very vulnerable these days, the company being hit by a second malvertising campaign in the span of a month.

This time the attack was first observed by the Malwarebytes team, which reported it to the Yahoo! staff, who then stepped in immediately to take down the ads in question.

According to the Malwarebytes data, this most recent campaign started on July 28 and was found on domains like yahoo.com, news.yahoo.com, finance.yahoo.com, sports.yahoo.com, celebrity.yahoo.com, and games.yahoo.com.

All these domains have a total of 6.9 billion active monthly visitors, which, when we divide by 7 - the number of days the campaign lasted - gives us a total of 985 million users to whom the ads could have been displayed.

As with the malvertising campaign discovered by Cyphort a few days back, this one also used the Angler Exploit Kit.

In a statement for the New York Times, Malwarebytes staff revealed that recent Flash zero-day exploits were used in the campaign, allowing attackers to infect computers with "a mix of ad fraud (Bedep) and ransomware (CryptoWall)."

The campaign leverages Microsoft Azure websites

As with the previous cases when Yahoo was plagued by a malvertising campaign, Windows Azure servers were used to host the Angler exploit, using a complex redirection scheme to hide their true location.

After promptly taking down the campaign, the Yahoo! staff issued the following statement:

“Yahoo is committed to ensuring that both our advertisers and users have a safe and reliable experience. As soon as we learned of this issue, our team took action and will continue to investigate this issue.”

“Unfortunately, disruptive ad behavior affects the entire tech industry. Yahoo has a long history of engagement on this issue and is committed to working with our peers to create a secure advertising experience.”

“We’ll continue to ensure the quality and safety of our ads through our automated testing and through the SafeFrame working group, which seeks to protect consumers and publishers from the potential security risks inherent in the online ad ecosystem.”

Malwarebytes Anti-Exploit users were already protected against this attack
Malwarebytes Anti-Exploit users were already protected against this attack

Angler Exploit Kit used in Yahoo malvertising campaign (2 Images)

The campaign leverages Microsoft Azure servers
Malwarebytes Anti-Exploit users were already protected against this attack
Open gallery