Discussion: Yahoo malvertising attacks: Just the beginning?

ITKE George Leopold, Contributor Profile: ITKE
Experts say the ease with which attackers conducted last week's malvertisement attacks using Yahoo ads suggests similar iframe attacks are imminent.

1 Comment on this article

There was an error processing your information. Please try again later.
Thanks. We'll let you know when a new response is added.
Send me notifications when other members comment.
  • ValidSoft
    So Yahoo is in the wars and has been hit by a damaging malware attack that has affected over 2 million of its clients and put their personal data at risk. Yahoo clients visiting yahoo.com received advertisements, some of which were malicious. The attack was first spotted on December 30th although it is likely to have been infecting clients from as early as December 27th through to January 3rd. The exploit primarily affected Yahoo clients based in Europe, with Romania, Great Britain, France, Italy and Spain accounting for around 75% of those affected. It’s worth noting that victims didn’t have to click on the malicious ads in order to have their devices infected with malware. Basically a “drive-by” exploit kit was deployed and did not need to be clicked on, just loading the advertisements was enough to get exploited and infected with malware. However, clients with an up to date version of Java were not affected as the exploit affected older version of Java which allowed the malware to automatically run. Newer versions of Java required the user to click the advertisement and therefore circumvent the redirect. Upon visiting the malicious advertisements users were redirected to random domains served from a single IP address apparently hosted in the Netherlands. The exploit kit took advantage of vulnerabilities in Java and apparently installed a host of different malware including amongst others: ZeuS, Andromeda, and Necur. It has also been alleged that a primary focus of the exploit is to enable Bitcoin mining by establishing a “Bitnet” (a variation of a Botnet) that is designed to use mass host computational resources for Bitcoin mining.
    Whilst no one doubts the abilities of the fraudsters to infiltrate sites for the purpose of injecting malware into a computer, when the core business is marketing, and you rely on visitors to your website as your core advertising medium, then it’s totally unacceptable that Yahoo was not better prepared and alert. No matter the amount of apologies Yahoo gives its clients, its reputation has been seriously dented and trust shattered. The simple fact of the matter is that one should not expect to find malware on an internationally recognised site such as Yahoo, and such companies have a social and moral responsibility to take all measures to ensure that such a breach should not occur. The consequence for many clients is that their personal and financial data has been compromised, the implications of which can be shocking on some of the more vulnerable members of our society. All very well for Yahoo to issue stock statements about the nature of the attack, and the basic “help” on what steps to take if one is concerned that their PC may have been infected, but that will be little consolation to those clients who now feel vulnerable, exposed and worried.

    Unfortunately, Yahoo is not alone in terms of major companies where significant breaches have occurred and who have hit the headlines in the past year, and sadly we can expect more of the same this year. Once a network or system is compromised, the lost data remains at large and the data owners remain vulnerable to attacks that can compromise their bank accounts, and other accounts of value.

    Given the ease at which the fraudsters carry out mass attacks with increasing impact, there is no doubt that the premise now must be to focus on how to render stolen data unusable by hackers/ thieves. The correlation between identity theft and subsequent fraud is clearly proven, and I stand behind the view that improving our capabilities before the fraud event, or as the event is occurring must be the next stage of the evolution of security defences. Being able to determine the difference between a fraud event and a false positive is of course the ultimate weapon in the defence against crime, and the ultimate in terms of best practice consumer protection and customer satisfaction. The key of course lies in the security architecture, providing the highest levels of security and privacy by combining invisible security layers, and low or no friction on the consumer side. Corporate mind sets have to change. The technology exists today to enable these complementary security layers to augment existing security defences. The payback for those entities that get this right will be swift and significant - consumers will be quick to recognise the brand of trust that provides them with the assurance that their banking credentials are protected, their transactions are secure and their interactions are intuitive.
    10 pointsBadges:

Forgot Password

No problem! Submit your e-mail address below. We'll send you an e-mail containing your password.

Your password has been sent to:

To follow this tag...

There was an error processing your information. Please try again later.

Thanks! We'll email you when relevant content is added and updated.


Share this item with your network: