By Dancho Danchev
Security researchers from StopMalvertising.com have intercepted a malvertising campaign using Yahoo’s ad network, that ultimately leads to a malicious payload in the form of fake security software known as scareware.
The IP 18.104.22.168 is acting as a rotator. A rotator is a link to a Traffic Management System and it will point users to different destinations each time the link is requested. They might also include the name of the group spreading the malware or a campaign ID. According to the whois details the organization name is coolservers.ru.
The domain server72.helpping.uni.me is one of those free domain providers and of course they don’t have any whois information available as usual. A fake scanner called Windows Secure Kit 2011 is hosted at this IP.Read more about Malvertisement on Releaselog installs Windows Secure Kit 2011.
Cybercriminals usually rely on malvertising to achieve their malicious objectives in situations where they cannot remotely compromise a particular legitimate web site through direct hacking in the form of, for instance, remotely exploitable SQL injection attack. In this case, they socially engineer their way into a high trafficked ad network like Yahoo!’s ad platform in order to reach millions of potentially exploitable victims. Thankfully, in this campaign they’re redirecting users to a fake security software, compared to a situation where they could have been abusing their access to the ad network in order to serve client-side exploits.
- Researchers intercept a client-side exploits-serving malware campaign
- Researchers intercept two client-side exploits serving malware campaigns
Just how prevalent is malvertising in the arsenal of the malicious attacker? According to independent reports, over 3 million malvertising impressions are served each and every day, followed by another 1.3 million malicious ads which are viewed daily. Clearly, cybercriminals are still interested in socially engineering their way into high trafficked ad networks.
Yahoo! Inc. has been notified that a rogue publisher is currently using its ad platform, and has quickly taken action to mitigate the threat posed by the malicious ads served through it.