Skip to main content

Embarrassed Yahoo tricked into serving ransomware on ad network

It recently emerged that Yahoo's advertising platform has been the target of an ambitious and insidious attack, which leveraged the popular online advertising platform in order to deliver a particularly nasty piece of ransomware.

In these so-called "malvertising" attacks, cyber criminals gain legitimacy for their ad servers within ad network, and then use the trust they've gained to serve malicious ads to high-profile sites.

The ads appear legitimate, but deliver a lethal payload of malware or other unwanted software to the unsuspecting user. Because of this gaping flaw in advertising platforms, you could be surfing on a site you trust, only to be infected with malware when you click on an ad. In this case, it was the ransomware CryptoWall.

Read more: How to avoid Cryptolocker and other ransomware

To refresh your memory, ransomware is a kind of Trojan that encrypts documents on victims' computers and holds them ransom for large amounts of money. If you don't cough up the money, the ransomware threatens that it will delete the decryption key, rendering the infected files unreadable. At one point, one virulent strain of ransomware, CryptoLocker, claimed over 10,000 UK victims in one week. The National Crime Agency (NCA) has estimated that around 15,000 computers may currently be infected in the UK. Worldwide, it runs into the millions.

The team at first didn't realise the gravity of their discovery, believing it to be a minor exploit of some small advertising servers. But the discovery that Yahoo ads was also compromised showed just how deep the malvertising plague was running.

"What looked like a minor malvertising attack quickly became more significant as the cyber criminals were successfully able to gain the trust of the major ad networks like," said Chris Larsen, part of the research team for Blue Coat Systems that uncovered the attack.

"The interconnected nature of ad servers and the ease with which would-be-attackers can build trust to deliver malicious ads points to a broken security model that leaves users exposed to the types of ransomware and other malware that can steal personal, financial and credential information."

Related: A cryptolocker cure has finally landed - and it's FREE

The research team also identified as a referring site to the malicious networks. The security researchers flagged the site as dangerous malvertising when they noted it was sending traffic to another malicious network, and wasn't sending traffic to any legitimate sites whatsoever.

Yahoo was not immediately available for comment.