Malwarebytes have revealed a large scale attack abusing Yahoo!’s own ad network. The research uncovered that June and July have set new records for malvertising attacks, with a potential 6.9m users per month at risk.
Malwarebytes immediately informed Yahoo! of the malicious activity, with the campaign no longer active as of yesterday. The campaign started on July 28th, as seen from Malwarebyte’s own telemetry. According to data from SimilarWeb, Yahoo!’s website has an estimated 6.9 Billion visits per month making this one of the largest malvertising attacks seen recently.
- http://www.yahoo.com | 6.9B monthly visits
- news.yahoo.com | 308.50M monthly visits
- finance.yahoo.com | 135M monthly visits
- sports.yahoo.com | 112.50M monthly visits
- celebrity.yahoo.com | 66.60M monthly visits
- games.yahoo.com | 43.40M monthly visits
Malwarebytes observed two main domains being used:
The sequence of redirections eventually led to the Angler Exploit Kit.
Following this news, Grayson Milbourne, Security Intelligence Director at cybersecurity firm Webroot said:
“With the pure scale and size of Yahoo – many people may have fallen victim to this attack. Monetary gain is the primary motivation for attacks of this nature and in many cases, ads are just traps for additional attacks. This exploit is an indication that potential breaches are heading in the direction of becoming more complex in nature, and with further reaching effects on a larger number of end-users. With an estimated 6.9 million users per month, this exploit raises serious questions about the size of this attack and Yahoo’s security processes.
“Exercising prudence when obtaining and installing software is crucial to staying protected from these types of attacks. End-users should keep in mind that often a quick search can give useful information on the general level of public trust. To stay protected, I encourage users to use the Chrome browser along with an ad-removal extension. There are number to pick from, and using this combination offers the best chance of preventing an ad network redirect to an exploit kit.”