Cybercriminals are utilising Yahoo’s own ad network to deliver malware to hundreds of millions of visitors to some of the internet giant’s most popular websites. Hugely popular websites including Yahoo.com itself, as well as the portal’s sports, finance, celebrity and games websites have been hit by one of the biggest malvertising campaigns seen in recent years.
Following this news, security experts at Imperva, STEALTHbits, Spikes Security, ESET have explained what happened and how, as well as malvertising trends and what users can do to protect themselves.
Amichai Shulman, CTO, Imperva:
“Ad networks are complex multilayer business affiliation webs. While the major players do their best to prevent malvertizing it does happen from time to time. We see a wave like behavior in this field with 6 month frequency. That is, attackers find a way to sneak in malvertizing and use it for a month, then ad network operators improve their control and prevent abuse for a few months (4-5) and then it all starts again. The advantage of malvertizing for attackers is of course the ability to target a specific population (just like marketing people do with online ads). See our prediction to 2014.”
Mark James, Security Specialist at IT Security Firm ESET:
How did it happen?
“Adverts on web pages often are delivered through third party companies that deliver thousands of adverts to all manner of websites. Typically, a company will rent space on a high profile website and offer adverts based on behavioural tracking to deliver the most accurate bait for you to click. The problem with this of course is if the source advert is infected then it could be delivered to many legit websites as part of a group of normally “safe” adverts.”
Does it differ from malvertising campaigns we have seen in the past?
“They all want to achieve the same end result, trick the user into downloading the exploit, infect the machine, stay undetected and perform malicious activity. They use different means to do this and much like malware we see dips and blooms in the different techniques used some successful and some not. The Angler Exploit kit uses some unique features to stay ahead of the game including detection of security software and virtual environments to avoid detection as well as using memory injection to achieve file-less infection. This alongside how easy it is to obtain on the dark market makes it one of the “bad” ones out there at present.”
The Angler Exploit kit has been around for a while now, can anything be done to stop it?
“I am sure you will of heard me say before, make sure all your applications and operating systems are up to date and able to be patched at regular intervals. Do not open attachments in emails or download applications unless you are confident of their source or you intentionally decided to do so, and if possible look at some kind of plug ins for your browsers to block automatic execution of iframes or scripts.”
Could Yahoo have prevented this?
“The million dollar question, yes of course they could, is it practical and easy to do – most probably not. All companies strive for the most cost effective means to deliver content to the users that want it, they must look at costs both incoming and outgoing, from a cost point of view why invent the wheel when it comes to advertising.”
Branden Spikes, CEO, CTO & Founder, Spikes Security :
“Website authors take this risk every time they design pages that inherit external resources from untrusted sources, such as advertising networks. These massive cyber security failures unfortunately do little to compel websites to change their ways. This is not the first time Yahoo has spread millions of malware infections. Through malware botnets, hackers can gain access to enterprise secrets, can create bogus advertising charges through fraudulent click-throughs and ad impressions, and can launch massive distributed denial of service attacks. When browsing without using an isolation solution, you should consider limiting exposure to advertising-based websites, use ad-blocker software in your browsers, and definitely consider deploying isolation technology to keep your browser from becoming yet another cog in the great hacking wheel.”
Brian Vecci, VP of Product Management, STEALTHbits :
“The Yahoo! Advertising attack highlights something that security folks have known forever: attacks can come from anywhere, in any form. What’s interesting here isn’t that a piece of technology – in this case an online advertising network – has been compromised. Businesses and consumers should already be wary of any code on any web page, and should be running up to date browsers and anti-malware software on their clients anyway. What’s more interesting here is the potential damage this might do to Yahoo! Advertising as a trusted provider. Online advertising has increasingly relied on the combination of intelligent targeting and utility: show useful information to the right people to make the advertising worthwhile. If the network itself isn’t trusted, however, online advertisers aren’t going to bother since no matter how relevant or useful the message is, the messenger won’t be trusted.”
Jeff Hill, Channel Marketing Manager, STEALTHbits :
“This latest Yahoo! malvertising attack is yet more evidence of the endless creativity and innovation driven by a growing list of motives among hackers and criminals, and thus it behooves individuals to accept a reality that the corporate world is rapidly acknowledging: assume your system will be, or already has been, compromised. A strategy that puts all eggs in the prevention basket will fail; the bad guys are too clever, and there’s too much money, glory, etc. fueling their passion, with no end in sight.
“That means investing in a high-quality, up-to-date anti-malware subscription, strong passwords (read: frequently updated, long and complex) on all accounts, especially financial and banking sites, and maybe even a good password management software package that replaces your “passwords” spreadsheet. Make sure the digital valuables are safely secured in the family safe so when the bad guys inevitably break into the house, there’s nothing useful for them to steal.”
The opinions expressed in this post belong to the individual contributors and do not necessarily reflect the views of Information Security Buzz.