Israeli firm Light Cyber claims to have discovered that Yahoo's poisoned adverts were behind the delivery of malware used to mine bitcoins. "The sophisticated malware campaign used Yahoo's advertising server to distribute malicious advertisements that included exploitations of Java vulnerabilities which installed the malware on client computers visiting ads.yahoo.com," it said in a statement. "It is estimated that tens of thousands of computers in countries around the world have been infected by the campaign in recent days."
Light Cyber's founder Giora Engel gave further details to CNet. "The attackers made sure they exploit each of the millions of infected machines to its full worth by employing Bitcoin miners, WebMoney wallet hackers, personal information extraction, banking information extraction, and generic remote access tools."
He added that bitcoin mining is not usually worth the effort since the electrical cost is greater than the bitcoin return. For this reason criminals have started to use bots to covertly steal the electricity and processing power of their victims to do the mining for them. As a result, comments security expert Graham Cluley, "We’re going to see lots more malware attacks designed to mine Bitcoins on infected computers."
Meanwhile, Cisco's threat research, analysis, and communications (TRAC) group decided to look at its security operations data to see what else could be learned. In a new analysis published yesterday, it confirms that "the attack against Yahoo began on December 31. However," it adds, "the malicious advertisements were just one attack in a long series of other attacks waged by the same group."
Fox-IT, who first broke the news, called out three domains "and 'others'" as the malicious destination of the malvertising redirects. Cisco looked deeper and "found a large cache of 21,971 hostnames from 393 different domains that fit the exact same pattern as the domains used in the malicious ads on Yahoo." It further noted "because we still see activity for these domains as recently as January 9, 2014, Cisco TRAC advises network administrators to block this entire range of IP addresses."
Most of the time, however, Cisco found that the malicious domains don't present exploit kits but rather redirect the user to "ptp22.com or ptp33.com. Both ptp22.com and ptp33.com domains process data for a pay-per-click affiliate program run by an organization called “Paid-To-Promote.Net.”
Cisco's Jaeson Schultz signed up for an account with Paid-To Promote to investigate further. "It appears," he reports, "that typically this group operates by infecting websites with the aim of planting HTML code on the site which directs the site’s visitors to one of the malicious domains. The malicious domains then provide a 302 redirect that generates paid traffic via the Paid-To-Promote.Net affiliate program, in effect monetizing traffic from the victimized websites."