Security Experts:

Connect with us

Hi, what are you looking for?


Malware & Threats

Malvertising Campaign Infected Visitors to Yahoo, Other Sites With Ransomware

Researchers at Proofpoint have uncovered a malvertising campaign that hit a number of high-profile sites, including Yahoo, and AOL domains. 

Researchers at Proofpoint have uncovered a malvertising campaign that hit a number of high-profile sites, including Yahoo, and AOL domains. 

According to Proofpoint, the scheme generated an estimated $25,000 a day for the attackers.

“Without having to click on anything, visitors to the impacted websites may be stealthily infected with the CryptoWall 2.0 ransomware,” blogged Wayne Huang, vice president of engineering at Proofpoint. “Using Adobe Flash, the malvertisements silently “pull in” malicious exploits from the FlashPack Exploit Kit.”

“The exploits attack a vulnerability in the end-users’ browser and install CryptoWall 2.0 on end-users’ computers,” he continued. “Similar to the behavior of other “ransomware,” CryptoWall then encrypts the end-users’ hard drive and will not allow access until the victim pays a fee over the Internet for the decryption key.”

Typically, victims face an escalating timeline where failure to pay by a certain time results in their hard drives being permanently encrypted, Huang blogged.

The sites themselves were not compromised; the advertising networks they relied upon for dynamic content were serving malware. All totaled, roughly three million visitors per day were exposed to the attacks. A list of the large websites affected in the attack is available here. Among them are Yahoo’s Finance, Sports and Fantasy Sports sites.

Proofpoint first detected isolated instances of this malveritising activity in late September. However, it wasn’t until recently that it reached a significant level of activity, Huang blogged. After it reached a certain level, it became possible to associate disparate instances with a single campaign impacting numerous sites.

Researchers observed three major ad networks delivering malvertisements to websites: OpenX, Rubicon Project and Right Media/Yahoo Advertising.

Proofpoint’s last detection of issues related to this campaign was Oct. 18. By sampling roughly 100 ransom collection addresses, researchers estimated that on a daily basis the campaign generated at least 40 addresses. The campaign is believed to have lasted for at least 30 days, meaning the attackers could have pocketed $750,000.

“It is important to recognize that the websites…were not compromised by attackers per se,” Huang blogged. “While it could be argued that malvertising detection on the part of the website owners would have been part of a comprehensive brand protection strategy, ultimately the sites and the ad networks were victims of an organized campaign that exploits the nature of modern content delivery networks in order to deliver malware onto end-users’ computers.”

Written By

Click to comment

Expert Insights

Related Content

Malware & Threats

Microsoft plans to improve the protection of Office users by blocking XLL add-ins from the internet.


CISA, NSA, and MS-ISAC issued an alert on the malicious use of RMM software to steal money from bank accounts.


Chinese threat actor DragonSpark has been using the SparkRAT open source backdoor in attacks targeting East Asian organizations.


A recently disclosed vBulletin vulnerability, which had a zero-day status for roughly two days last week, was exploited in a hacker attack targeting the...


Russia-linked cyberespionage group APT29 has been observed using embassy-themed lures and the GraphicalNeutrino malware in recent attacks.

Application Security

Electric car maker Tesla is using the annual Pwn2Own hacker contest to incentivize security researchers to showcase complex exploit chains that can lead to...

Malware & Threats

Cybercrime in 2017 was a tumultuous year "full of twists and turns", with new (but old) infection methods, a major return to social engineering,...

Malware & Threats

Security researchers are warning of a new wave of malicious NPM and PyPI packages designed to steal user information and download additional payloads.