Connect with us

Hi, what are you looking for?


Malware & Threats

Malvertising Campaign Infected Visitors to Yahoo, Other Sites With Ransomware

Researchers at Proofpoint have uncovered a malvertising campaign that hit a number of high-profile sites, including Yahoo, and AOL domains. 

Researchers at Proofpoint have uncovered a malvertising campaign that hit a number of high-profile sites, including Yahoo, and AOL domains. 

According to Proofpoint, the scheme generated an estimated $25,000 a day for the attackers.

“Without having to click on anything, visitors to the impacted websites may be stealthily infected with the CryptoWall 2.0 ransomware,” blogged Wayne Huang, vice president of engineering at Proofpoint. “Using Adobe Flash, the malvertisements silently “pull in” malicious exploits from the FlashPack Exploit Kit.”

“The exploits attack a vulnerability in the end-users’ browser and install CryptoWall 2.0 on end-users’ computers,” he continued. “Similar to the behavior of other “ransomware,” CryptoWall then encrypts the end-users’ hard drive and will not allow access until the victim pays a fee over the Internet for the decryption key.”

Typically, victims face an escalating timeline where failure to pay by a certain time results in their hard drives being permanently encrypted, Huang blogged.

Advertisement. Scroll to continue reading.

The sites themselves were not compromised; the advertising networks they relied upon for dynamic content were serving malware. All totaled, roughly three million visitors per day were exposed to the attacks. A list of the large websites affected in the attack is available here. Among them are Yahoo’s Finance, Sports and Fantasy Sports sites.

Proofpoint first detected isolated instances of this malveritising activity in late September. However, it wasn’t until recently that it reached a significant level of activity, Huang blogged. After it reached a certain level, it became possible to associate disparate instances with a single campaign impacting numerous sites.

Researchers observed three major ad networks delivering malvertisements to websites: OpenX, Rubicon Project and Right Media/Yahoo Advertising.

Proofpoint’s last detection of issues related to this campaign was Oct. 18. By sampling roughly 100 ransom collection addresses, researchers estimated that on a daily basis the campaign generated at least 40 addresses. The campaign is believed to have lasted for at least 30 days, meaning the attackers could have pocketed $750,000.

“It is important to recognize that the websites…were not compromised by attackers per se,” Huang blogged. “While it could be argued that malvertising detection on the part of the website owners would have been part of a comprehensive brand protection strategy, ultimately the sites and the ad networks were victims of an organized campaign that exploits the nature of modern content delivery networks in order to deliver malware onto end-users’ computers.”

Written By

Marketing professional with a background in journalism and a focus on IT security.

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join security experts as they discuss ZTNA’s untapped potential to both reduce cyber risk and empower the business.


Join Microsoft and Finite State for a webinar that will introduce a new strategy for securing the software supply chain.


Expert Insights

Related Content


The changing nature of what we still generally call ransomware will continue through 2023, driven by three primary conditions.


A recently disclosed vBulletin vulnerability, which had a zero-day status for roughly two days last week, was exploited in a hacker attack targeting the...


No one combatting cybercrime knows everything, but everyone in the battle has some intelligence to contribute to the larger knowledge base.

Malware & Threats

Threat actors are increasingly abusing Microsoft OneNote documents to deliver malware in both targeted and spray-and-pray campaigns.

Malware & Threats

Unpatched and unprotected VMware ESXi servers worldwide have been targeted in a ransomware attack exploiting a vulnerability patched in 2021.

Application Security

Virtualization technology giant VMware on Tuesday shipped urgent updates to fix a trio of security problems in multiple software products, including a virtual machine...


The recent ransomware attack targeting Rackspace was conducted by a cybercrime group named Play using a new exploitation method, the cloud company revealed this...

Malware & Threats

A vulnerability affecting IBM’s Aspera Faspex file transfer solution, tracked as CVE-2022-47986, has been exploited in attacks.