Yahoo has shut down a massive malware campaign that may have affected millions of visitors to its sites.
Yahoo confirmed it had stopped the scheme, which began last week, which had been using Yahoo's ad network to infect end users PCs with malware. 'Malvertising', as it's known, is an increasingly common technique where an attacker essentially tricks an automated ad network into delivering malware embedded in ads.
"Malvertising is a silent killer because malicious ads do not require any type of user interaction in order to execute their payload. The mere fact of browsing to a website that has adverts (and most sites, if not all, do) is enough to start the infection chain," said Jérôme Segura, a senior security researcher at Malwarebytes, the security company that discovered the attack.
According to Segura, over nearly a week the malicious ads, which were served through ads.yahoo.com, redirected Yahoo visitors to several different domains that ultimately exposed them to the Angler exploit kit. Some of those redirect domains were hosted on Microsoft's Azure, the researcher noted.
Exploit kits contain attacks for flaws in widely-used browser plugins for Chrome, Firefox and Internet Explorer, such as Adobe's Flash Player, Oracle's Java, Microsoft's Silverlight, and others. Typically the exploits target computers running outdated versions of the plugins.
Researchers revealed last week that another exploit kit dubbed RIG was infecting machines at a rate of 27,000 per day, primarily using malicious ads and a cocktail of recent Flash Player flaws.
One issue that may be making the attackers' job easier is that Flash Player has been updated several times in the last month, thanks to the leaked files from Italian surveillance-ware vendor Hacking Team, including three zero-day flaws for the media player.
As recently noted by independent malware researcher Kafeine, the Angler Exploit Kit swiftly integrated attacks for these Flash flaws, prompting Mozilla to briefly block Flash in Firefox and security experts to call for Adobe to sunset the software.
Prior to the current attack, a 10-day Yahoo malvertising campaign may have exposed as many as 10 million visitors to the Angler exploit kit. As security vendor Cyphort reported at the time, the attackers used high traffic domains such as The Huffington Post Japan to deliver the malicious ads.
"The complexity of the online advertising economy makes it easy for malicious actors to abuse the system and get away with it," said Segura.
As for Yahoo, it's just the latest attack to rely on its massive traffic to infect website visitors. Last year attackers were using it to deliver a range of malware, including a Bitcoin miner, and served up exploits for unmatched Java.