Malvertising attacks via Yahoo ads may precede broader iframe attacks

Update: A Cisco researcher says last week's malvertisement attacks using Yahoo ads likely began prior to December 2013.

According to new research, the recent malvertisement attack on Yahoo.com that is believed to have infected the...

systems and devices of thousands of website visitors likely began earlier than initially believed. The incident could also signal an uptick in the use of highly effective iframe Web attacks on larger online communities.

It seems like [the attackers] could have done more than this.

Marc Maiffret, CTO, BeyondTrust

The Internet security firm Fox-IT reported the malware infection Jan. 3, which involved malicious ads being served by ads.yahoo.com using cross-site scripting. The iframes were directed to infected files on non-Yahoo servers.

Visitors to the malicious ads were then redirected to an exploit kit dubbed "Magnitude," the Dutch IT security firm discovered.

As a result, Yahoo visitors did not have to click on the malware ads in order for the exploit to be downloaded. The iframe-based attack also means Web ad servers need not be compromised.

As of Jan. 3, Fox-IT said Yahoo had moved to fix the problem. In a statement, Yahoo confirmed that the incident occured between Dec. 31, 2013, and Jan. 3., 2014, and that only visitors to its European sites were affected. Visits using Macs and mobile devices also were not affected.

Oscar Marquez, chief product officer at Redwood City, Calif.-based cloud security provider Total Defense, predicted larger attacks as a means of infecting as many systems as possible, given the effectiveness of the Yahoo exploit.

"The party involved [in the Yahoo attack] was just testing the water," Marquez said in an interview. He forecasted similar, more sophisticated exploits as hackers seek to establish a "distribution model" based on effective iframe attacks. A larger attack, perhaps in the next several weeks, would take malware ad attacks "to the next level" he said, as regional groups emerging in Asia prepare more sophisticated exploits.

China-based hackers in particular seem intent on copying security breaches like the Yahoo malware ad attack, then developing new exploits. Hence, Marquez advises enterprise customers to cover every possible security angle as hackers seek to take advantage of new vulnerabilities. He advocated a technique called cloud Web filtering as a way to scrub all inbound traffic, block malware and other attacks, then quarantine exploits.

Statistics on the breadth of malvertisement attacks are hard to come by, industry experts said, but according to data from the Online Trust Alliance, in 2012 more than 10 billion ad impressions involved some form of malvertising.

After detecting the malicious ads served by Yahoo, Fox-IT said it investigated the infection of its clients' systems that had visited Yahoo's website. Based on a sample of traffic, Fox-IT estimated the number of visits to the malicious site at about 300,000 per hour. Taking into account a typical infection rate of 9%, it projected about 27,000 infections hourly.

Based on the expanding number of domains now thought to have been involved, Jaeson Schultz, lead threat researcher with Cisco Systems Inc., said he suspects that the Yahoo malware ad attacks may have started weeks prior to the date range acknowledged by Yahoo.

Schultz said in an interview late Wednesday that he has observed malicious Yahoo ad traffic involving more than 300 different domains that dates back prior to December 2013. In a Cisco Security blog post published Thursday, Schultz wrote that the malicious advertisements affecting Yahoo were just one in a series of attacks involving the same set of hostnames beginning as early as Nov. 28, 2013.

"These [attackers] have been in business for a while,” Schultz said.

When contacted by SearchSecurity, a Yahoo spokesperson declined to comment on whether the attacks may have started prior to December, or whether it is continuing to research the issue.

Given that hackers are attempting to infect as many systems and devices as possible, some observers worry that the Yahoo attack could morph into something bigger in the next several weeks. For example, Marquez said, future malware attacks could move beyond online ads to Web coupons or massive online communities like gamers. Playstation and Xbox console users are among the possible targets, he said.

Future attacks could also raise the stakes by going after financial data. Fox-IT warned that the so far unknown attackers "are clearly financially motivated and seem to offer services to other actors." It said php.net, which offers downloads of general purpose scripting languages, was hit by a similar exploit kit in October 2013.

Among the possible future attack possibilities are using infected machines to "mine" for Bitcoin digital currency. "Anything is possible," Schultz added. "They are always looking to hit something big.”

The Yahoo attack again raises concerns about third-party security, particularly ad networks. "Going after third parties is a vector that is going to be exploited," Schultz added.

The Yahoo attack also illustrates the "thriving marketplace" for a variety of malware attacks and other security threats that identify system vulnerabilities in operating systems and unused Java apps, noted Marc Maiffret, chief technology officer at BeyondTrust, a Phoenix-based security vendor. This emerging ecosystem includes different groups writing exploits while others focus on malware.

"You don't have to have the entire recipe to launch attacks," Maiffret warned.

As for the Yahoo attack, Maiffret agreed, "It seems like [the attackers] could have done more than this."

Maiffret said system administrators focusing primarily on malware attacks also need to look at underlying vulnerabilities while "reducing your attack surfaces." The Yahoo incident "shows how known vulnerabilities are being leveraged," he added.

Executive Editor Eric B. Parizo contributed to this story.

Dig Deeper on Web Server Threats and Countermeasures

PRO+

Content

Find more PRO+ content and other member only offers, here.

Join the conversation

3 comments

Send me notifications when other members comment.

By submitting you agree to receive email from TechTarget and its partners. If you reside outside of the United States, you consent to having your personal data transferred to and processed in the United States. Privacy

Please create a username to comment.

What security controls does your organization have in place to defend against malvertising?
Cancel
Whilst no one doubts the abilities of the fraudsters to infiltrate sites for the purpose of injecting malware into a computer, when the core business is marketing, and you rely on visitors to your website as your core advertising medium, then it’s totally unacceptable that Yahoo was not better prepared and alert. No matter the amount of apologies Yahoo gives its clients, its reputation has been seriously dented and trust shattered. The simple fact of the matter is that one should not expect to find malware on an internationally recognised site such as Yahoo, and such companies have a social and moral responsibility to take all measures to ensure that such a breach should not occur. The consequence for many clients is that their personal and financial data has been compromised, the implications of which can be shocking on some of the more vulnerable members of our society. All very well for Yahoo to issue stock statements about the nature of the attack, and the basic “help” on what steps to take if one is concerned that their PC may have been infected, but that will be little consolation to those clients who now feel vulnerable, exposed and worried.

Unfortunately, Yahoo is not alone in terms of major companies where significant breaches have occurred and who have hit the headlines in the past year, and sadly we can expect more of the same this year. Once a network or system is compromised, the lost data remains at large and the data owners remain vulnerable to attacks that can compromise their bank accounts, and other accounts of value.

Given the ease at which the fraudsters carry out mass attacks with increasing impact, there is no doubt that the premise now must be to focus on how to render stolen data unusable by hackers/ thieves. The correlation between identity theft and subsequent fraud is clearly proven, and I stand behind the view that improving our capabilities before the fraud event, or as the event is occurring must be the next stage of the evolution of security defences. Being able to determine the difference between a fraud event and a false positive is of course the ultimate weapon in the defence against crime, and the ultimate in terms of best practice consumer protection and customer satisfaction. The key of course lies in the security architecture, providing the highest levels of security and privacy by combining invisible security layers, and low or no friction on the consumer side. Corporate mind sets have to change. The technology exists today to enable these complementary security layers to augment existing security defences. The payback for those entities that get this right will be swift and significant - consumers will be quick to recognise the brand of trust that provides them with the assurance that their banking credentials are protected, their transactions are secure and their interactions are intuitive.
Cancel
So Yahoo is in the wars and has been hit by a damaging malware attack that has affected over 2 million of its clients and put their personal data at risk. Yahoo clients visiting yahoo.com received advertisements, some of which were malicious. The attack was first spotted on December 30th although it is likely to have been infecting clients from as early as December 27th through to January 3rd. The exploit primarily affected Yahoo clients based in Europe, with Romania, Great Britain, France, Italy and Spain accounting for around 75% of those affected. It’s worth noting that victims didn’t have to click on the malicious ads in order to have their devices infected with malware. Basically a “drive-by” exploit kit was deployed and did not need to be clicked on, just loading the advertisements was enough to get exploited and infected with malware. However, clients with an up to date version of Java were not affected as the exploit affected older version of Java which allowed the malware to automatically run. Newer versions of Java required the user to click the advertisement and therefore circumvent the redirect. Upon visiting the malicious advertisements users were redirected to random domains served from a single IP address apparently hosted in the Netherlands. The exploit kit took advantage of vulnerabilities in Java and apparently installed a host of different malware including amongst others: ZeuS, Andromeda, and Necur. It has also been alleged that a primary focus of the exploit is to enable Bitcoin mining by establishing a “Bitnet” (a variation of a Botnet) that is designed to use mass host computational resources for Bitcoin mining.
Whilst no one doubts the abilities of the fraudsters to infiltrate sites for the purpose of injecting malware into a computer, when the core business is marketing, and you rely on visitors to your website as your core advertising medium, then it’s totally unacceptable that Yahoo was not better prepared and alert. No matter the amount of apologies Yahoo gives its clients, its reputation has been seriously dented and trust shattered. The simple fact of the matter is that one should not expect to find malware on an internationally recognised site such as Yahoo, and such companies have a social and moral responsibility to take all measures to ensure that such a breach should not occur. The consequence for many clients is that their personal and financial data has been compromised, the implications of which can be shocking on some of the more vulnerable members of our society. All very well for Yahoo to issue stock statements about the nature of the attack, and the basic “help” on what steps to take if one is concerned that their PC may have been infected, but that will be little consolation to those clients who now feel vulnerable, exposed and worried.

Unfortunately, Yahoo is not alone in terms of major companies where significant breaches have occurred and who have hit the headlines in the past year, and sadly we can expect more of the same this year. Once a network or system is compromised, the lost data remains at large and the data owners remain vulnerable to attacks that can compromise their bank accounts, and other accounts of value.

Given the ease at which the fraudsters carry out mass attacks with increasing impact, there is no doubt that the premise now must be to focus on how to render stolen data unusable by hackers/ thieves. The correlation between identity theft and subsequent fraud is clearly proven, and I stand behind the view that improving our capabilities before the fraud event, or as the event is occurring must be the next stage of the evolution of security defences. Being able to determine the difference between a fraud event and a false positive is of course the ultimate weapon in the defence against crime, and the ultimate in terms of best practice consumer protection and customer satisfaction. The key of course lies in the security architecture, providing the highest levels of security and privacy by combining invisible security layers, and low or no friction on the consumer side. Corporate mind sets have to change. The technology exists today to enable these complementary security layers to augment existing security defences. The payback for those entities that get this right will be swift and significant - consumers will be quick to recognise the brand of trust that provides them with the assurance that their banking credentials are protected, their transactions are secure and their interactions are intuitive.
Cancel

-ADS BY GOOGLE

SearchCloudSecurity

SearchNetworking

SearchCIO

SearchConsumerization

SearchEnterpriseDesktop

SearchCloudComputing

ComputerWeekly

Close