Yahoo’s Ad Network Hacked to Spread Ransomware and Malware to Millions of Computers


[Updated]: Yahoo gave an official statement via email in response to this malvertising campaign possibly affecting millions of visitors, claiming that media reports have "grossly misrepresented" the scale of the attack. Please check the complete statement at the end of this post.

Yahoo's biggest websites are being used by cyber-criminals to deliver malware to hundreds of millions of its visitors, security researchers have discovered.

Yahoo entangled in one of the biggest malvertising campaigns:

Yahoo's ad network consisting of some of the biggest websites including and its popular portals for sports, celebrity, games, and finance are being exploited to infect visitors' machines with malware. Malwarebytes, a security company, has revealed how Yahoo's ad network is being a victim to a "malvertising" campaign. Serving an estimated number of 6.9 billion visits per month, according to Jerome Segura of Malwarebytes, this is being termed as one of the biggest malvertising attacks seen in the recent years.

Serving such a vast number of visitors a month, Yahoo is practically a treasure trove for cyber-criminals who have managed to infect the ad network with Angler Exploit Kit, considered the most sophisticated exploit kit. Using this kit, when a visitor clicks on an affected ad, they would be redirected through a number of sites before landing on a page hosting the Angler Exploit Kit. This kit would then attempt to stealthily download malware onto the visitor's computer.

Angler Exploit Kit is an off-the-shelf software package containing packaged attacks that are easy to use on known and unknown zero-day vulnerabilities. Targeting web browser and its applications, Angler Exploit Kit gained notoriety in 2014. This particular kit can deliver a wide range of payloads including banking trojans, rootkits, ransomware, CryptoLocker, and backdoor Trojans, reported the McAfee® Labs Threats Report published in February, 2015.

According to the security researchers responsible for discovering this malvertising campaign, this attack could deliver two types of threats: malware and ransomware. Malware threats could further infect a user's computer including delivering banking trojans and additional advertising fraud software, while ransomware encrypts user's hard drive and demands a ransom before unlocking the data back for the victim.

The malware campaign was launched on July 28, however, there is no word on how many visitors could have been infected by this malware so far. Malwarebytes claims that only the cybercriminal group would be able to share these figures. The campaign is still active, comments the Malwarebytes group which has informed Yahoo of the security issue.

While there is no way to know for sure who may have been exposed to the rogue adverts, the sheer numbers thrown at the Yahoo pages could potentially mean high rates of infection. Many Malvertising attacks tend to focus on specific geographical locations depending on ad networks used, but this campaign could have had a huge amount of reach.

The security research group reports that this malware attempt is by the same group that has been involved in a number of other large-scale campaigns including exploiting Adobe Flash vulnerabilities.

[Update: statement from Yahoo spokesperson]: 

Yahoo is committed to ensuring that both our advertisers and users have a safe and reliable experience. As soon as we learned of this issue, our team took action to block this advertiser from our network.

We take all potential security threats seriously. With that said, the scale of the attack was grossly misrepresented in initial media reports and we continue to investigate the issue.

Unfortunately, disruptive ad behavior affects the entire tech industry. Yahoo has a long history of engagement on this issue and is committed to working with our peers to create a secure advertising experience. We’ll continue to ensure the quality and safety of our ads through our automated testing and through the SafeFrame working group, which seeks to protect consumers and publishers from the potential security risks inherent in the online ad ecosystem.