Monday, January 13, 2014
Yahoo malvertising is linked to a larger malware scheme
With a look into Cisco Systems, the cyberattack that infected Yahoo users with malware is showing a link between the attack and a suspicious affiliate with Ukraine, in a traffic scheme.
Yahoo said on Sunday that European users have seen malicious advertisements, or “malvertisements,” between December 31st to January 11th.
If the advertisement is clicked, the user is directed to a website with the intention to install malicious software.
Cisco has seen malicious website victims linked to hundreds of ongoing cyberattacks.
The malicious domains all start with a series of numbers, they contain anywhere from two to six cryptic sub-domain labels and end with two random words in the second-level domain.
Hosted domains with a large IP block that researchers observed, shows Yahoo victims were redirected to finding 393 others that matched a pattern.
The domains seem to be a part of a scheme designed to direct people to malware. The group behind the scam infects legitimate websites with code that redirects people to malicious sites.
Most of these malicious domains redirect to two other domains that scans data to a partner program called Paid-To-Promote.net. People who sign up for the program are paid fees to push traffic to other websites.
It is still not clear whether the program is directly linked to the Yahoo attack.
Research has shown that the traffic traced by the affiliate program, shows the domains are used for suspicious purposes ever since November 28th. Some of these domains are hosted in Ukraine and Canada.
These malvertisements have been put into Yahoo’s advertising network successfully.
With Yahoo’s high traffic, more people have seen the malicious advertisements, in turn a higher rate of infection.
Online advertising networks screen advertisements to ensure they are not malicious, but bad ones do sneak in occasionally.
Yahoo malvertising attack linked to larger malware scheme – ComputerWorld