This article is more than 1 year old
Yahoo! website! ads! spaff! CryptoWall! ransomware! AGAIN!
Unpatched Flash holes exploited to inject file-scrambling nasty
Yahoo! has been used to spread ransomware to Windows PCs almost exactly a year after the previous big outbreak.
Adverts served on the Yahoo! homepage as well as the Yahoo! News, Sports, Celebrity, Finance, and Games websites, quietly loaded a script that ultimately exploited holes in Adobe Flash to infect vulnerable systems, according to Malwarebytes.
The attacked computers – potentially hundreds of thousands if not millions in number – were injected with either adware or the infamous CryptoWall ransomware, we're told.
CryptoWall works by encrypting all the documents it can find on a computer system, and demands a ransom to restore the data. Victims have shelled out millions of dollars to decrypt and recover their files, according to the FBI.
Yahoo! said these latest malicious ads, which were booked by crooks, have been pulled from its network. "As soon as we learned of this issue, our team took action and will continue to investigate this issue," Yahoo! said in a statement to The Register.
Malwarebytes said this fresh batch of dodgy adverts ran on the Yahoo! network between July 28 and August 3, which was when Yahoo! pulled the malicious content.
Jerome Segura, senior security researcher for Malwarebytes, told The Reg that the use of encryption by the adverts' masterminds makes detection far more difficult.
Segura explained that browsers fetch the script code via an encrypted HTTPS connection. Additionally, encryption is used to scramble the malware download.
"That we can't see where the redirect is happening and can't pinpoint where it is makes it more difficult," he explained. "Any kind of system that monitors at the network level would only see a blurb of data and nothing like a binary."
Exploit kit targeted people in US and Canada
According to Malwarebytes, the ads themselves did not contain any bad code, but rather silently led the browser to a page hosted on a Microsoft Azure site. That page then redirected to another domain that launched the Angler exploit kit on computers specifically in North America.
The kit exploits security holes in Adobe Flash to inject either the Bedep adware package or the CryptoWall ransomware onto vulnerable Windows systems. Security patches are available for the exploited flaws, so up-to-date computers were not at risk.
Segura suggests that users either disable Flash, or set the player on click-to-play mode so potentially harmful files are not loaded automatically.
The Purple Palace noted that such malware attacks are an all-too-common occurrence in the advertising space, a point Segura confirmed. Because so many online ads are run through various third-party networks and providers, a criminal can slip advertising code into an otherwise legitimate piece of advertising and infect thousands of pages without the site owners realizing anything is amiss.
"They are very smart in disguising themselves, changing their ads at the last minute, stuff like that," said Segura. "If there was a simple answer, whoever had it would be very rich." ®