Malvertising impacts Yahoo, AOL visitors, spreads Ransomware via FlashPack exploit kit
Several high traffic websites including Yahoo, AOL, Match.com and The Atlantic were found to be serving malicious ads to there visitors. the Malware in action “CryptoWall 2.0 ransomware” impacted the visitors running a vulnerable/ unpatched version of Adobe Flash player.
Researchers at proofpoint who reported the malvertising campaign said the malware did not even need a click to get it installed, it automatically get installed using a vulnerability in older version of Flash Players.
Without having to click on anything, visitors to the impacted websites may be stealthily infected with the CryptoWall 2.0 ransomware. Using Adobe Flash, the malvertisements silently “pull in” malicious exploits from the FlashPack Exploit Kit. The exploits attack a vulnerability in the end-users’ browser and install CryptoWall 2.0 on end-users’ computers. proofpoint said in a blogpost
Once the malware infects the victims computer it encrypts the victims hard drive and asks for a Ransom to be delivered over the internet in exchange for the decryption of the victims files to their original state.
More than 3 million visitors per day were potentially exposed to this malvertising campaign which has generated estimated US$25,000 per day for the attackers.
List of domains which were affected along with their global Alexa rankings as given on proofpoint blog.
Yahoo! Finance, Fantasy and Sports (yahoo.com, Global 4, US 4),
AOL (realestate.aol.com, US 37, Global 119),
The Atlantic ( theatlantic.com, US 386, Global 1,206),
9GAG (9gag.com, US 528, Global 201,),
match.com (US 203, Global 631),
The Sydney Morning Herald (www.smh.com.au, Australia 13, Global 780),
realestate.com.au (Australia 17, Global 1,656),
The Age (theage.com.au, Australia 34),
stuff.co.nz (New Zealand 9),
societe.com (France 54, Global 1,649),
Dumpert (dumpert.nl, Netherlands 24),
Flirchi (flirchi.com, India 106, Global 1,129),
Weatherzone Australia (weatherzone.com.au, Australia 111),
Brisbane Times (brisbanebrisbanetimes.com.au, Australia 183),
RSVP (rsvp.com.au, Australia 351),
The Canberra Times (canberratimes.com.au, Australia 403),
Time Out (US 1,145, Global 1,816),
The Beacon-News (beaconnews.suntimes.com, US 1,178),
Merca2.0 (merca20.com, Mexico 229),
clicccar.com (Japan 1,124),
iPhone for Hong Kong (iphone4hongkong.com, HK 112),
Noticias Argentinas (noticiasargentinas.com, Argentina 784)
The malware in this case, Cryptowall 2.0 Ransomware downloads a Tor client on victim’s machine which it uses to connect to its Command and control (c&c) server and asks for a 500$ equivalent of Bitcoin as ransom.
Proofpoint determined that the impacted websites itself were not infected rather the advertising network on which these websites rely for serving dynamic ads. These dynamic ads in turn were serving the CryptoWall to the the victims. The ads network including OpenX, Rubicon Project and Yahoo Ad Exchange who were unknowingly serving these malicious ads were informed of the malvetising campaigns and as of Saturday proper action was taken to curb the malvertising campaign on these networks.