A Look at the Early Stages of the Yahoo Malvertising Attack

January 13, 2014 - By Chris Larsen

There seems to be a lot more continuing interest in the story of the Yahoo malvertising attack than I would have thought. (Maybe I'm just jaded.) I read an update today on the beginning of the attack, and decided to add some color.

(I can't comment on what Yahoo may have seen in its logs that leads it to believe the attack may have begun as early as 12/27, but I can certainly comment on what we saw in our logs...)

 

The first ads.yahoo.com traffic to the big malvertising network among our users showed up on 12/29 (at 2013-12-29 19:14 UTC). The exploit kit server that was active at the time was residing at 193.169.245.73, and it had come on line the previous day (12/28), so let's start then.

It was regularly rotating through a series of domains (like syntaxomits.in, sitcomplained.in, returningfits.in...) that were hosting the exkit on a variety of deeply nested subdomains.

As we blogged last week -- scroll down to the second half of the post -- the initial traffic into this exploit kit network on 12/19 was driven by Search Engine Poisoning, and that's also what was going on here on 12/28 and 12/29.

Sample hacked sites hosting the SEP relay pages include a real estate site (madisoncountynewlistings.com), a religious site (ministryofthesheep.org), and a car business in Poland (darpex.pl).

[BTW, the logs for the Polish example prompted the following safe-search tip: if you are searching (in English) for something like, say, "expiration date of magic mouthwash", and the search engine returns a link to a .PL site (i.e., registered in Poland, where presumably most of the sites would be expected to be in Polish, not English), do NOT click it! Especially if the subdirectory is named something funny like "/Gstringm/" -- not that any of our users would have done that...]

 

When the initial ads.yahoo.com traffic started showing up on 12/29, the exkit host domain was officerspends.in, with the same deeply nested subdomain approach to obfuscating the URL that the Bad Guys had been using previously. (In other words, all that really changed for the Bad Guys was just bringing a new traffic source on line. But they definitely got a bump in traffic out of that new source...)

 

One last point to look at is the geographic traffic distribution, as Yahoo initially (1/05) said "Users in North America, Asia Pacific and Latin America were not served these advertisements and were not affected." And their latest update (1/10) said "...a small fraction of users outside of [Europe] may have been impacted as well."

So how small a fraction might that have been?

As a quick estimate from our logs, traffic to our major global datacenters shows approximately 75.4% of the malvertising traffic in the European logs, 18.7% in the American logs, and 5.9% in the Asian logs. Clearly a minority for non-European users, but more of a "sizeable fraction" than a small one.

--C.L.

@bc_malware_guy