Security Experts:

Connect with us

Hi, what are you looking for?



Malvertising Attack Hits Yahoo! Ad Network

A large malvertising attack recently hit the Yahoo! advertising network, which leveraged Microsoft Azure websites and eventually redirected browsers to pages hosting the Angler Exploit Kit to compromise systems.

A large malvertising attack recently hit the Yahoo! advertising network, which leveraged Microsoft Azure websites and eventually redirected browsers to pages hosting the Angler Exploit Kit to compromise systems.

The malicious campaign started on July 28, and was shut down on Aug. 3, according to Malwarebytes, the security firm that discovered the attack.

“Many of the website’s 6.9 billion readers could have been affected, making this one of the largest malvertising attacks Malwarebytes Labs has seen recently,” Jerome Segura, senior security researcher at Malwarebytes Labs, wrote in a blog post.

Segura warned that victims of the attack were infected with ransomware via the Angler Exploit Kit, noting that it was also possible that banking trojans to other advertising fraud could have been used in the attack.

Malvertising Attack Using Angler Exploit Kit

After notifying Yahoo! of the attack, Malwarebytes said the Internet firm responded quickly and took action to stop the campaign.

“Yahoo is committed to ensuring that both our advertisers and users have a safe and reliable experience,” Yahoo said in a statement. “As soon as we learned of this issue, our team took action and will continue to investigate this issue.”

The developers of the Angler Exploit Kit recently updated the crimeware to make it more difficult to track down the sources of a malvertising campaign. The exploit kit now breaks the referrer chain, which plays an important part when disrupting malvertising operations, security researcher Yonathan Klijnsma, told SecurityWeek in May. 

According to data released today by security firm RiskIQ, in the first half of this year the number of malvertisements has jumped 260 percent compared to the same period in 2014.

“The sheer number of unique malvertisements has climbed 60 percent year over year. Meanwhile, fake Flash updates have replaced fake antivirus and fake Java updates as the most commonly method used to lure victims into installing various forms of malware including ransomware, spyware and adware,” RiskIQ said.

“Malvertising campaigns exploit a number of systemic weaknesses within the web’s ecosystem. These campaigns target verification and validation weaknesses in the ad networks and platforms,” Lane Thomas, Security Research and Software Development Engineer at Tripwire, told SecurityWeek. “Then, after successfully gaining access to these ad systems, the associated attackers take advantage of scale and lax patching. Scale is an issue here because one successful penetration of an ad system leads to huge payoff in terms of the total number of victims who can be attacked via malicious ads.”

“The final problem, which is where the exploit kit aspect of this problem wins, is due to massive amounts of lax software patching,” Thomas said. “Exploit kits focus largely on vulnerabilities in Adobe Flash, Java, and Silverlight along with vulnerabilities in the core web browsers themselves, and exploit kits thrive because so many end users don’t keep their software patched and updated.”

Written By

For more than 10 years, Mike Lennon has been closely monitoring the threat landscape and analyzing trends in the National Security and enterprise cybersecurity space. In his role at SecurityWeek, he oversees the editorial direction of the publication and is the Director of several leading security industry conferences around the world.

Click to comment

Expert Insights

Related Content


Websites of German airports, administration bodies and banks were hit by DDoS attacks attributed to Russian hacker group Killnet

Malware & Threats

Microsoft plans to improve the protection of Office users by blocking XLL add-ins from the internet.


Iranian APT Moses Staff is leaking data stolen from Saudi Arabia government ministries under the recently created Abraham's Ax persona


CISA, NSA, and MS-ISAC issued an alert on the malicious use of RMM software to steal money from bank accounts.


Chinese threat actor DragonSpark has been using the SparkRAT open source backdoor in attacks targeting East Asian organizations.


A recently disclosed vBulletin vulnerability, which had a zero-day status for roughly two days last week, was exploited in a hacker attack targeting the...


Artificial intelligence is competing in another endeavor once limited to humans — creating propaganda and disinformation.


The UK’s NCSC has issued a security advisory to warn about spearphishing campaigns conducted by two unrelated Russian and Iranian hacker groups.