According to new research, the recent malvertisement attack on Yahoo.com that is believed to have infected the systems and devices of thousands of website visitors likely began earlier than initially believed. The incident could also signal an uptick in the use of highly effective iframe
It seems like [the attackers] could have done more than this.
Marc Maiffret, CTO, BeyondTrust
The Internet security firm Fox-IT reported the malware infection Jan. 3, which involved malicious ads being served by ads.yahoo.com using cross-site scripting. The iframes were directed to infected files on non-Yahoo servers.
Visitors to the malicious ads were then redirected to an exploit kit dubbed "Magnitude," the Dutch IT security firm discovered.
As a result, Yahoo visitors did not have to click on the malware ads in order for the exploit to be downloaded. The iframe-based attack also means Web ad servers need not be compromised.
As of Jan. 3, Fox-IT said Yahoo had moved to fix the problem. In a statement, Yahoo confirmed that the incident occured between Dec. 31, 2013, and Jan. 3., 2014, and that only visitors to its European sites were affected. Visits using Macs and mobile devices also were not affected.
Oscar Marquez, chief product officer at Redwood City, Calif.-based cloud security provider Total Defense, predicted larger attacks as a means of infecting as many systems as possible, given the effectiveness of the Yahoo exploit.
"The party involved [in the Yahoo attack] was just testing the water," Marquez said in an interview. He forecasted similar, more sophisticated exploits as hackers seek to establish a "distribution model" based on effective iframe attacks. A larger attack, perhaps in the next several weeks, would take malware ad attacks "to the next level" he said, as regional groups emerging in Asia prepare more sophisticated exploits.
China-based hackers in particular seem intent on copying security breaches like the Yahoo malware ad attack, then developing new exploits. Hence, Marquez advises enterprise customers to cover every possible security angle as hackers seek to take advantage of new vulnerabilities. He advocated a technique called cloud Web filtering as a way to scrub all inbound traffic, block malware and other attacks, then quarantine exploits.
Statistics on the breadth of malvertisement attacks are hard to come by, industry experts said, but according to data from the Online Trust Alliance, in 2012 more than 10 billion ad impressions involved some form of malvertising.
After detecting the malicious ads served by Yahoo, Fox-IT said it investigated the infection of its clients' systems that had visited Yahoo's website. Based on a sample of traffic, Fox-IT estimated the number of visits to the malicious site at about 300,000 per hour. Taking into account a typical infection rate of 9%, it projected about 27,000 infections hourly.
Based on the expanding number of domains now thought to have been involved, Jaeson Schultz, lead threat researcher with Cisco Systems Inc., said he suspects that the Yahoo malware ad attacks may have started weeks prior to the date range acknowledged by Yahoo.
Schultz said in an interview late Wednesday that he has observed malicious Yahoo ad traffic involving more than 300 different domains that dates back prior to December 2013. In a Cisco Security blog post published Thursday, Schultz wrote that the malicious advertisements affecting Yahoo were just one in a series of attacks involving the same set of hostnames beginning as early as Nov. 28, 2013.
"These [attackers] have been in business for a while,” Schultz said.
When contacted by SearchSecurity, a Yahoo spokesperson declined to comment on whether the attacks may have started prior to December, or whether it is continuing to research the issue.
Given that hackers are attempting to infect as many systems and devices as possible, some observers worry that the Yahoo attack could morph into something bigger in the next several weeks. For example, Marquez said, future malware attacks could move beyond online ads to Web coupons or massive online communities like gamers. Playstation and Xbox console users are among the possible targets, he said.
Future attacks could also raise the stakes by going after financial data. Fox-IT warned that the so far unknown attackers "are clearly financially motivated and seem to offer services to other actors." It said php.net, which offers downloads of general purpose scripting languages, was hit by a similar exploit kit in October 2013.
Among the possible future attack possibilities are using infected machines to "mine" for Bitcoin digital currency. "Anything is possible," Schultz added. "They are always looking to hit something big.”
The Yahoo attack again raises concerns about third-party security, particularly ad networks. "Going after third parties is a vector that is going to be exploited," Schultz added.
The Yahoo attack also illustrates the "thriving marketplace" for a variety of malware attacks and other security threats that identify system vulnerabilities in operating systems and unused Java apps, noted Marc Maiffret, chief technology officer at BeyondTrust, a Phoenix-based security vendor. This emerging ecosystem includes different groups writing exploits while others focus on malware.
"You don't have to have the entire recipe to launch attacks," Maiffret warned.
As for the Yahoo attack, Maiffret agreed, "It seems like [the attackers] could have done more than this."
Maiffret said system administrators focusing primarily on malware attacks also need to look at underlying vulnerabilities while "reducing your attack surfaces." The Yahoo incident "shows how known vulnerabilities are being leveraged," he added.
Executive Editor Eric B. Parizo contributed to this story.