Researchers at Proofpoint have uncovered a malvertising campaign that hit a number of high-profile sites, including Yahoo, Match.com and AOL domains.
According to Proofpoint, the scheme generated an estimated $25,000 a day for the attackers.
“Without having to click on anything, visitors to the impacted websites may be stealthily infected with the CryptoWall 2.0 ransomware,” blogged Wayne Huang, vice president of engineering at Proofpoint. “Using Adobe Flash, the malvertisements silently “pull in” malicious exploits from the FlashPack Exploit Kit.”
“The exploits attack a vulnerability in the end-users’ browser and install CryptoWall 2.0 on end-users’ computers,” he continued. “Similar to the behavior of other “ransomware,” CryptoWall then encrypts the end-users’ hard drive and will not allow access until the victim pays a fee over the Internet for the decryption key.”
Typically, victims face an escalating timeline where failure to pay by a certain time results in their hard drives being permanently encrypted, Huang blogged.
The sites themselves were not compromised; the advertising networks they relied upon for dynamic content were serving malware. All totaled, roughly three million visitors per day were exposed to the attacks. A list of the large websites affected in the attack is available here. Among them are Yahoo’s Finance, Sports and Fantasy Sports sites.
Proofpoint first detected isolated instances of this malveritising activity in late September. However, it wasn’t until recently that it reached a significant level of activity, Huang blogged. After it reached a certain level, it became possible to associate disparate instances with a single campaign impacting numerous sites.
Researchers observed three major ad networks delivering malvertisements to websites: OpenX, Rubicon Project and Right Media/Yahoo Advertising.
Proofpoint’s last detection of issues related to this campaign was Oct. 18. By sampling roughly 100 ransom collection addresses, researchers estimated that on a daily basis the campaign generated at least 40 addresses. The campaign is believed to have lasted for at least 30 days, meaning the attackers could have pocketed $750,000.
“It is important to recognize that the websites…were not compromised by attackers per se,” Huang blogged. “While it could be argued that malvertising detection on the part of the website owners would have been part of a comprehensive brand protection strategy, ultimately the sites and the ad networks were victims of an organized campaign that exploits the nature of modern content delivery networks in order to deliver malware onto end-users’ computers.”
More from Brian Prince
- U.S. Healthcare Companies Hardest Hit by ‘Stegoloader’ Malware
- CryptoWall Ransomware Cost Victims More Than $18 Million Since April 2014: FBI
- New Adobe Flash Player Flaw Shares Similarities With Previous Vulnerability: Trend Micro
- Visibility Challenges Industrial Control System Security: Survey
- Adobe Flash Player Zero-Day Exploited in Attack Campaign
- Researchers Demonstrate Stealing Encryption Keys Via Radio
- Researchers Uncover Critical RubyGems Vulnerabilities
- NSA, GCHQ Linked to Efforts to Compromise Antivirus Vendors: Report
Latest News
- Former Ubiquiti Employee Who Posed as Hacker Pleads Guilty
- Cyber Insights 2023: Venture Capital
- Atlassian Warns of Critical Jira Service Management Vulnerability
- High-Severity Privilege Escalation Vulnerability Patched in VMware Workstation
- Exploitation of Oracle E-Business Suite Vulnerability Starts After PoC Publication
- China Says It’s Looking Into Report of Spy Balloon Over US
- GoAnywhere MFT Users Warned of Zero-Day Exploit
- Google Shells Out $600,000 for OSS-Fuzz Project Integrations
