The same hackers that have exploited vulnerabilities of Adobe Flash have used advertising on Yahoo's largest websites to distribute malware to billions, according to researchers at Malwarebytes.
The attackers took on Yahoo's own ad network and leveraged Microsoft Azure websites to spread the increasingly popular Angler Exploit Kit (EK) to unsuspecting site visitors, the researchers noted in a blog post.
Although the campaign ultimately led victims to the Angler EK, the security company didn't collect information on its payload. However, it did note that this EK often leads to Bedep ad fraud and CryptoWall ransomware.
The campaign is believed to have kicked off July 28, and once discovered, Malwarebytes informed Yahoo of the issue. Yahoo then immediately halted the campaign and rendered it inactive
"With the pure scale and size of Yahoo – many people may have fallen victim to this attack," Grayson Milbourne, security intelligence director at Webroot, said in commentary emailed to SCMagazine.com on Monday, adding that it "is an indication that potential breaches are heading in the direction of becoming more complex in nature, and with further reaching effects on a larger number of end-users."
Milbourne noted that with the immense number of users to Yahoo's websites, including 6.9 billion monthly to its homepage, “this exploit raises serious questions about the size of this attack and Yahoo's security processes."
He also said, that in addition to being prudent "when obtaining and installing software," users should use the Chrome browser as well as an ad-removal extension.
"This combination offers the best chance of preventing an ad network redirect to an exploit kit," Milbourne said. "When in doubt, steer clear, and stay safe.”
While Yahoo did stop the malvertising upon being alerted, it also noted in a statement to Malwarebytes that it is “committed to ensuring that both our advertisers and users have a safe and reliable experience.”
The statement also says the company will continue to “ensure quality and safety of our ads through our automated testing and through the SafeFrame working group, which seeks to protect consumers and publishers from the potential security risks inherent in the online ad ecosystem.”