February 25, 2012Blog Staff By Blog Staff

Researchers intercept malvertising campaign using Yahoo’s ad network

Security researchers from StopMalvertising.com have intercepted a malvertising campaign using Yahoo’s ad network, that ultimately leads to a malicious payload in the form of fake security software known as scareware.

More details:

The IP is acting as a rotator. A rotator is a link to a Traffic Management System and it will point users to different destinations each time the link is requested. They might also include the name of the group spreading the malware or a campaign ID. According to the whois details the organization name is coolservers.ru.

The domain server72.helpping.uni.me is one of those free domain providers and of course they don’t have any whois information available as usual. A fake scanner called Windows Secure Kit 2011 is hosted at this IP.Read more about Malvertisement on Releaselog installs Windows Secure Kit 2011.

Cybercriminals usually rely on malvertising to achieve their malicious objectives in situations where they cannot remotely compromise a particular legitimate web site through direct hacking in the form of, for instance, remotely exploitable SQL injection attack. In this case, they socially engineer their way into a high trafficked ad network like Yahoo!’s ad platform in order to reach millions of potentially exploitable victims. Thankfully, in this campaign they’re redirecting users to a fake security software, compared to a situation where they could have been abusing their access to the ad network in order to serve client-side exploits.

Related posts:

Just how prevalent is malvertising in the arsenal of the malicious attacker? According to independent reports, over 3 million malvertising impressions are served each and every day, followed by another 1.3 million malicious ads which are viewed daily. Clearly, cybercriminals are still interested in socially engineering their way into high trafficked ad networks.

Yahoo! Inc. has been notified that a rogue publisher is currently using its ad platform, and has quickly taken action to mitigate the threat posed by the malicious ads served through it.

You can find more about Dancho Danchev at his LinkedIn Profile. You can also follow him on  Twitter.

Share Button

One Response to Researchers intercept malvertising campaign using Yahoo’s ad network

  1. Evil ad netowrks do things like this. I can’t believe that actually happened and I feel I am entitled to give my opinion in order to warn other people on this. I’ve been using adtomatik for the last two months and got excellent results, higher fill rates and best ecpm than others ad networks.

Leave a Reply

Your email address will not be published. Required fields are marked *