February 13, 2017 by

Yahoo, MSN Struck by Advanced Malvertising Campaign

 A treacherous malicious advertising campaign is making a comeback on major publishing websites including the likes of MSN and Yahoo, merely months after researchers discovered and were thought to have ended the campaign.

Malvertising, or malicious software delivered through advertisements, is an extremely effective way to target and infect a large number of computers. They are typically embedded into ad networks and trigger a cyberattack when the ads are viewed, often unbeknownst to the victim.

A malicious group dubbed AdGholas, has been known to deliver malware payloads through advertisements in the past. The group’s last-known campaign was shut down in July 2016, after infecting at least a million computers a day with malware.

However, a new ad campaign is turning heads again and the advertising agency is not having an easy time diffusing these malicious payloads, even after realizing that the threat is real. According to Jerome Segura, lead malware intelligence analyst at Malwarebytes, the attack campaigns triggered by AdGholas can be blocked in the short-term. However, significant security weaknesses in the online advertising industry means that malicious groups will target websites with new and modified attack patterns, the researcher says.

A Technically Sound Attack Campaign

AdGholas’ latest campaign sees it distribute malvertising through ‘Browser Defense’ a malicious piece of software purporting to be a privacy tool and Broxu, a screen-capture application. The ad looks for a known information leakage vulnerability on Internet Explorer, even if the user avoids clicking on the advertisement, according to Eset.

 Here, the vulnerability allows the attacker to obtain key facts and information about the computer. Before proceeding with an attack, the cybercriminal is able to ascertain if the computer is running an anti-virus program or other security software. The information even reveals if the computer is actually a virtual machine.

Picking out the malvertising campaign by AdGholas specifically, Segura stated:

It is one of the most advanced malvertising attacks that I’ve ever witnessed.

Typically, cybercriminals avoid running malware on computers if they suspect that their campaign is being studied, in order to further the longevity of the campaign by avoiding discovery from researchers. However, in the case of AdGholas’ malvertising campaign, the information gathered includes the computer’s performance stats, the locations of its installed video drivers and even the computer’s time zone. These checks are pored over multiple times before the victim is chosen.

“These kind of things are absolutely insane from our point of view,” Segura added. “That level of detail is just very, very advanced. The group is very paranoid.”

When a victim is chosen, the browser redirects the victim to a landing page hosting Astrum, an exploit kit that then attempts to exploit vulnerabilities in the notoriously exploitable Flash Player.

Segura was able to observe a full attack after many attempts of trying to trigger an attack by AdGholas’ campaign. Yahoo was notified of the attack around November 27 according to Data Breach Today. However, merely two days later, the malicious advertisements were back. AdGholas has simply changed the domain used for the domain used for the attacks.

A lack of quality control in ad networks has seen the latest round of attacks by AdGholas targeting computers in the U.K., Australia, Spain, Italy, Canada and Switzerland while avoiding computers in the U.S.

The failure of quality control also means that the malvertising campaign can target and figure on major websites which sees millions of visitors.

Segura added:

If they’re not seeing it, we’re in serious trouble here. These attacks are happening and nobody is really aware of them.

Image credit: Flickr.

About the author

Image of Author

LIFARS is the global leader in Digital Forensics and Cyber Resiliency Services. Our experience spans two decades working on high profile events, often in concert with Law Enforcement Agencies around the world. Our proprietary methodology derives directly and indirectly from our experience working with and for U.S. Intelligence Agencies, Interpol, Europol, and NATO. We are solely dedicated to Cyber Resiliency and thus pay close attention to all aspects of our clients’ engagements experience while providing a strategic and integrated array of services to minimum risk and disruption while protecting your brand.

Related articles

Canadian Hacker Pleads Guilty to Yahoo Breach Instigated by Russia

A Canadian national accused by the United States of helping Russian intelligence agents breach into...

Read more arrow_forward

Yahoo! Still Doesn’t Know Cause Behind Biggest Data Breach Ever

Former Yahoo CEO Marissa Mayer has admitted that the web giant still doesn’t know the cause behind...

Read more arrow_forward

Yahoo: All 3 Billion Accounts Impacted by 2013 Data Breach

Yahoo has announced that the massive data breach in August 2013 has affected every single user of...

Read more arrow_forward