08/03/2015

Photo © Yahoo! This morning, security researchers at Malwarebytes announced the discovery that hackers were exploiting a flaw in Yahoo’s advertising platforms in order to infect people's devices with Angler exploit kits (essentially a particularly virulent form of malware).

The affected websites include Yahoo.com and its related news, sport, and celebrity gossip pages.

The attack started on July 28 and is still ongoing as of this morning. If your device is infected, the malware will significantly slow down your machine (by diverting computer functions to its own use) and drain its power. Analysts at Malwarebytes say hackers might use this particular exploit to plant Trojan software on your device – or simply hijack the device to send out still more malware.

Yahoo said it's working on the problem. "As soon as we learned of this issue, our team took action to block this advertiser from our network," a Yahoo spokesperson said in an email but added that the scale of the attack "grossly misrepresented in initial media reports."



Unfortunately, disruptive ad behavior affects the entire tech industry. Yahoo has a long history of engagement on this issue and is committed to working with our peers to create a secure advertising experience," Yahoo said.

Hacking email accounts

Coincidentally, or perhaps not, over the weekend I received spam emails from two friends' Yahoo email accounts (and neither friend had any idea until I told them). Unlike most email spoofing attempts I've encountered, this time the emails had partially disguised the senders' addresses to obscure the Yahoo connection.

Here's what I mean: one of my friends – I'll give her the obviously fake name Jane Smith – has an email account JaneDSmith@yahoo.com , which she hasn't used in over a year. This weekend, I got a junk email from JaneD.Smith@munroy.ch . (An intense web search shows no actual email domains with an @munroy.ch address.) The email contained a link which I did not click on, since it surely would result in a bad malware infection.

When I asked Jane about this, she told me the only email she has with the specific name JaneDSmith @anything was with an old Yahoo account she no longer uses. Interestingly enough, when she checked that Yahoo account (and changed its password), the “sent” folder showed no activity at all. Somehow, the spoofers managed to hijack Jane's account and address book without leaving any signs in the account itself.

Something similar happened with my other friend, whom I'll give the equally fake name John Doe: I got an email with a dangerous-looking link, allegedly from JohnRDoe@newindex.co.jp . A web search for that domain does turn up many Japanese-language web sites – none of which my friend John knows anything about. But he did confirm that the only JohnRDoe address he's ever had was with Yahoo, though when he checked his “sent” file he saw no sign of recent activity, either.

Still, the timing of this particular outbreak of spoofed Yahoo emails might be coincidental, and unrelated to the advertising exploit uncovered by Malwarebytes.

High rates of infection

Chris Boyd of Malwarebytes told Business Insider that the exact number of devices affected by this exploit is currently unknown, but “the sheer numbers thrown at the Yahoo pages could potentially mean high rates of infection. Many Malvertising attacks tend to focus on specific geographical locations depending on ad networks used, but this campaign could have had a huge amount of reach.” Yahoo webpages collectively average 6.9 billion visits per month.

Malwarebytes uncovered the exploit when it discovered a new piece of code inserted into the Yahoo advertising network. As Business Insider explains: “The code shows that the Yahoo ad network URL leads to Microsoft Azure websites, which have also been affected as part of this attack. Boyd said many of the Azure websites caught up in this attack are likely to have been phished accounts, as opposed to ones set up for the explicit purpose of scamming users.”