A deeper look by Cisco Systems into the cyberattack that infected Yahoo users with malware seems to point out a link between the attack and a suspicious affiliate traffic-pushing theme with roots in Ukraine.
Yahoo aforementioned on Sunday that European users were served malicious advertisements, or “malvertisements,” between Dec. thirty one and last Saturday. If clicked, the advertisements directed users to websites that attempted to put in malicious package.
Cisco discovered that the malicious websites victims landed on ar coupled to many others that are utilized in current cyberattacks, aforementioned Jaeson Schultz, a threat analysis engineer.
Schultz checked out domains hosted inside an oversized science block that researchers discovered Yahoo victims were redirected to, finding 393 others that matched a pattern.
The malicious domains all begin with a series of numbers, contain between 2 and 6 cryptic subdomain labels and finish with 2 random words within the second-level domain, consistent with Schultz’s writeup on Cisco’s diary. a number of the domains were still active as of weekday.
The domains seem to be a part of a theme designed to direct folks to malware, Schultz aforementioned. The cluster behind the scam seems to infect legitimate websites with code that redirects folks to those malicious domains.
Most of the malicious domains direct to 2 different domains that method information for Associate in Nursing affiliate program referred to as Paid-To-Promote.net. those that check in for the program ar paid fees to push traffic to different websites.
It wasn’t clear whether or not that program is directly coupled to the Yahoo attack, however Paid-To-Promote.net’s website offers the impression that “anything goes,” Schultz aforementioned.
Further analysis into the affiliate program’s traffic derived it back to different domains used for suspicious functions, going back to Nov. 28. Some domains ar hosted in Ukraine et al in Canada.
Someone concerned within the theme smitten gold by somehow inserting malvertisements into Yahoo’s advertising network.
“If you’ll get into the ad networks, especially, that is terribly profitable,” Schultz aforementioned in a very phone interview weekday.
The high traffic to Yahoo’s website means that additional folks saw the malicious advertisements, that meant the next rate of infection. on-line advertising networks screen advertisements to make sure they don’t seem to be malicious, however sometimes unhealthy ones sneak in.
The malicious advertisements redirected folks to domains hosting the “Magnitude” exploit kit, that tests to ascertain if a laptop has package vulnerabilities within the Java application framework.