Yahoo! website! ads! spaff! CryptoWall! ransomware! AGAIN!

Unpatched Flash holes exploited to inject file-scrambling nasty


Yahoo! has been used to spread ransomware to Windows PCs almost exactly a year after the previous big outbreak.

Adverts served on the Yahoo! homepage as well as the Yahoo! News, Sports, Celebrity, Finance, and Games websites, quietly loaded a script that ultimately exploited holes in Adobe Flash to infect vulnerable systems, according to Malwarebytes.

The attacked computers – potentially hundreds of thousands if not millions in number – were injected with either adware or the infamous CryptoWall ransomware, we're told.

CryptoWall works by encrypting all the documents it can find on a computer system, and demands a ransom to restore the data. Victims have shelled out millions of dollars to decrypt and recover their files, according to the FBI.

Yahoo! said these latest malicious ads, which were booked by crooks, have been pulled from its network. "As soon as we learned of this issue, our team took action and will continue to investigate this issue," Yahoo! said in a statement to The Register.

Malwarebytes said this fresh batch of dodgy adverts ran on the Yahoo! network between July 28 and August 3, which was when Yahoo! pulled the malicious content.

Jerome Segura, senior security researcher for Malwarebytes, told The Reg that the use of encryption by the adverts' masterminds makes detection far more difficult.

Segura explained that browsers fetch the script code via an encrypted HTTPS connection. Additionally, encryption is used to scramble the malware download.

"That we can't see where the redirect is happening and can't pinpoint where it is makes it more difficult," he explained. "Any kind of system that monitors at the network level would only see a blurb of data and nothing like a binary."

Exploit kit targeted people in US and Canada

According to Malwarebytes, the ads themselves did not contain any bad code, but rather silently led the browser to a page hosted on a Microsoft Azure site. That page then redirected to another domain that launched the Angler exploit kit on computers specifically in North America.

The kit exploits security holes in Adobe Flash to inject either the Bedep adware package or the CryptoWall ransomware onto vulnerable Windows systems. Security patches are available for the exploited flaws, so up-to-date computers were not at risk.

Segura suggests that users either disable Flash, or set the player on click-to-play mode so potentially harmful files are not loaded automatically.

The Purple Palace noted that such malware attacks are an all-too-common occurrence in the advertising space, a point Segura confirmed. Because so many online ads are run through various third-party networks and providers, a criminal can slip advertising code into an otherwise legitimate piece of advertising and infect thousands of pages without the site owners realizing anything is amiss.

"They are very smart in disguising themselves, changing their ads at the last minute, stuff like that," said Segura. "If there was a simple answer, whoever had it would be very rich." ®

Similar topics


Other stories you might like

  • Why Cloud First should not have to mean Cloud Everywhere

    HPE urges 'consciously hybrid' strategy for UK public sector

    Sponsored In 2013, the UK government heralded Cloud First, a ground-breaking strategy to drive cloud adoption across the public sector. Eight years on, and much of UK public sector IT still runs on-premises - and all too often - on obsolete technologies.

    Today the government‘s message boils down to “cloud first, if you can” - perhaps in recognition that modernising complex legacy systems is hard. But in the private sector today, enterprises are typically mixing and matching cloud and on-premises infrastructure, according to the best business fit for their needs.

    The UK government should also adopt a “consciously hybrid” approach, according to HPE, The global technology company is calling for the entire IT industry to step up so that the public sector can modernise where needed and keep up with innovation: “We’re calling for a collective IT industry response to the problem,” says Russell MacDonald, HPE strategic advisor to the public sector.

    Continue reading
  • A Raspberry Pi HAT for the Lego Technic fan

    Sneaking in programming under the guise of plastic bricks

    There is good news for the intersection of Lego and Raspberry Pi fans today, as a new HAT (the delightfully named Hardware Attached on Top) will be unveiled for the diminutive computer to control Technic motors and sensors.

    Using a Pi to process sensor readings and manage motors has been a thing since the inception of the computer, and users (including ourselves) have long made use of the General Purpose Input / Output (GPIO) pins that have been a feature of the hardware for all manner of projects.

    However, not all users are entirely happy with breadboards and jumpers. Lego, familiar to many a builder thanks to lines such as its Mindstorms range, recently introduced the Education SPIKE Prime set, aimed at the classroom.

    Continue reading
  • Reg scribe spends week being watched by government Bluetooth wristband, emerges to more surveillance

    Home quarantine week was the price for an overseas trip, ongoing observation is the price of COVID-19

    Feature My family and I recently returned to Singapore after an overseas trip that, for the first time in over a year, did not require the ordeal of two weeks of quarantine in a hotel room.

    Instead, returning travelers are required to stay at home, wear a government-issued tracking device, and stay within range of a government-issued Bluetooth beacon at all times for a week … or else. No visitors are allowed and only a medical emergency is a ticket out. But that sounded easy compared to the hotel quarantine we endured in 2020.

    Continue reading

Biting the hand that feeds IT © 1998–2021