Yahoo malvertising attack leaves 900 million at risk of ransomware


A huge malvertising campaign that took over Yahoo's advertising network for four days last month could have hundreds of millions of potential victims.

Cyber security firm Malwarebytes uncovered the attack yesterday, and said it is one of the largest it has witnessed, affecting ads run across Yahoo's home, news, finance, sports, celebrity and games pages.

The home page,, gets 6.9 billion monthly visits alone according to SimilarWeb, meaning four days worth of traffic constitutes 890 million visits.

Even if those are not all unique, it would still leave hundreds of millions of people at risk of the malware, whose payload may consist of ransomware CryptoWall and ad fraud Bedep.

"This [is] one of the largest malvertising attacks we have seen recently," said senior security researcher Jrme Segura, who added that the attack leveraged Microsoft Azure to redirect users to an Angler exploit kit.

"We did not collect the payload in this particular campaign although we know that Angler has been dropping a mix of ad fraud (Bedep) and ransomware (CryptoWall)," Seguras said.

He explained that malvertising is particularly dangerous because it doesn't require victims to take action to download the bugs it is enough to simply browse a website containing infected adverts.

"The complexity of the online advertising economy makes it easy for malicious actors to abuse the system and get away with it," Segura added.

Yahoo took measures against the attack as soon as Malwarebytes made it aware, and the campaign is no longer active.

A Yahoo spokesperson said: "Yahoo is committed to ensuring that both our advertisers and users have a safe and reliable experience. As soon as we learned of this issue, our team took action and will continue to investigate this issue.

"Unfortunately, disruptive ad behavior affects the entire tech industry. Yahoo has a long history of engagement on this issue and is committed to working with our peers to create a secure advertising experience. We'll continue to ensure the quality and safety of our ads through our automated testing and through the SafeFrame working group, which seeks to protect consumers and publishers from the potential security risks inherent in the online ad ecosystem."

Protecting yourself

However, the scale of the attack led some to ask just how secure Yahoo's systems are.

Grayson Milbourne, security intelligence director at cybersecurity firm Webroot, said: "This exploit raises serious questions about the size of this attack and Yahoo's security processes.

"[It] is an indication that potential breaches are heading in the direction of becoming more complex in nature, and with further reaching effects on a larger number of end-users."

Milbourne urged users to stick to the Chrome browser, coupled with anti-ad software, to avoid malvertising threats in future.

"Use the Chrome browser along with an ad-removal extension," he said. "There are number to pick from, and using this combination offers the best chance of preventing an ad network redirect to an exploit kit."