Malvertising Campaign Infected Visitors to Yahoo, Other Sites With Ransomware

Researchers at Proofpoint have uncovered a malvertising campaign that hit a number of high-profile sites, including Yahoo, Match.com and AOL domains. 

According to Proofpoint, the scheme generated an estimated $25,000 a day for the attackers.

“Without having to click on anything, visitors to the impacted websites may be stealthily infected with the CryptoWall 2.0 ransomware,” blogged Wayne Huang, vice president of engineering at Proofpoint. “Using Adobe Flash, the malvertisements silently “pull in” malicious exploits from the FlashPack Exploit Kit.”

“The exploits attack a vulnerability in the end-users’ browser and install CryptoWall 2.0 on end-users’ computers,” he continued. “Similar to the behavior of other “ransomware,” CryptoWall then encrypts the end-users’ hard drive and will not allow access until the victim pays a fee over the Internet for the decryption key.”

Typically, victims face an escalating timeline where failure to pay by a certain time results in their hard drives being permanently encrypted, Huang blogged.

The sites themselves were not compromised; the advertising networks they relied upon for dynamic content were serving malware. All totaled, roughly three million visitors per day were exposed to the attacks. A list of the large websites affected in the attack is available here. Among them are Yahoo’s Finance, Sports and Fantasy Sports sites.

Proofpoint first detected isolated instances of this malveritising activity in late September. However, it wasn’t until recently that it reached a significant level of activity, Huang blogged. After it reached a certain level, it became possible to associate disparate instances with a single campaign impacting numerous sites.

Researchers observed three major ad networks delivering malvertisements to websites: OpenX, Rubicon Project and Right Media/Yahoo Advertising.

Proofpoint’s last detection of issues related to this campaign was Oct. 18. By sampling roughly 100 ransom collection addresses, researchers estimated that on a daily basis the campaign generated at least 40 addresses. The campaign is believed to have lasted for at least 30 days, meaning the attackers could have pocketed $750,000.

“It is important to recognize that the websites…were not compromised by attackers per se,” Huang blogged. “While it could be argued that malvertising detection on the part of the website owners would have been part of a comprehensive brand protection strategy, ultimately the sites and the ad networks were victims of an organized campaign that exploits the nature of modern content delivery networks in order to deliver malware onto end-users’ computers.”