Connect with us

Hi, what are you looking for?


Malware & Threats

Malvertising Campaign Infected Visitors to Yahoo, Other Sites With Ransomware

Researchers at Proofpoint have uncovered a malvertising campaign that hit a number of high-profile sites, including Yahoo, and AOL domains. 

Researchers at Proofpoint have uncovered a malvertising campaign that hit a number of high-profile sites, including Yahoo, and AOL domains. 

According to Proofpoint, the scheme generated an estimated $25,000 a day for the attackers.

“Without having to click on anything, visitors to the impacted websites may be stealthily infected with the CryptoWall 2.0 ransomware,” blogged Wayne Huang, vice president of engineering at Proofpoint. “Using Adobe Flash, the malvertisements silently “pull in” malicious exploits from the FlashPack Exploit Kit.”

“The exploits attack a vulnerability in the end-users’ browser and install CryptoWall 2.0 on end-users’ computers,” he continued. “Similar to the behavior of other “ransomware,” CryptoWall then encrypts the end-users’ hard drive and will not allow access until the victim pays a fee over the Internet for the decryption key.”

Typically, victims face an escalating timeline where failure to pay by a certain time results in their hard drives being permanently encrypted, Huang blogged.

Advertisement. Scroll to continue reading.

The sites themselves were not compromised; the advertising networks they relied upon for dynamic content were serving malware. All totaled, roughly three million visitors per day were exposed to the attacks. A list of the large websites affected in the attack is available here. Among them are Yahoo’s Finance, Sports and Fantasy Sports sites.

Proofpoint first detected isolated instances of this malveritising activity in late September. However, it wasn’t until recently that it reached a significant level of activity, Huang blogged. After it reached a certain level, it became possible to associate disparate instances with a single campaign impacting numerous sites.

Researchers observed three major ad networks delivering malvertisements to websites: OpenX, Rubicon Project and Right Media/Yahoo Advertising.

Proofpoint’s last detection of issues related to this campaign was Oct. 18. By sampling roughly 100 ransom collection addresses, researchers estimated that on a daily basis the campaign generated at least 40 addresses. The campaign is believed to have lasted for at least 30 days, meaning the attackers could have pocketed $750,000.

“It is important to recognize that the websites…were not compromised by attackers per se,” Huang blogged. “While it could be argued that malvertising detection on the part of the website owners would have been part of a comprehensive brand protection strategy, ultimately the sites and the ad networks were victims of an organized campaign that exploits the nature of modern content delivery networks in order to deliver malware onto end-users’ computers.”

Written By

Marketing professional with a background in journalism and a focus on IT security.

Click to comment


Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Gain valuable insights from industry professionals who will help guide you through the intricacies of industrial cybersecurity.


Join us for an in depth exploration of the critical nature of software and vendor supply chain security issues with a focus on understanding how attacks against identity infrastructure come with major cascading effects.


Expert Insights

Related Content


The changing nature of what we still generally call ransomware will continue through 2023, driven by three primary conditions.


A recently disclosed vBulletin vulnerability, which had a zero-day status for roughly two days last week, was exploited in a hacker attack targeting the...

Malware & Threats

The NSA and FBI warn that a Chinese state-sponsored APT called BlackTech is hacking into network edge devices and using firmware implants to silently...

Application Security

Virtualization technology giant VMware on Tuesday shipped urgent updates to fix a trio of security problems in multiple software products, including a virtual machine...

Malware & Threats

Unpatched and unprotected VMware ESXi servers worldwide have been targeted in a ransomware attack exploiting a vulnerability patched in 2021.


No one combatting cybercrime knows everything, but everyone in the battle has some intelligence to contribute to the larger knowledge base.

Malware & Threats

Apple’s cat-and-mouse struggles with zero-day exploits on its flagship iOS platform is showing no signs of slowing down.


The recent ransomware attack targeting Rackspace was conducted by a cybercrime group named Play using a new exploitation method, the cloud company revealed this...