Yahoo Removes Malicious Ads Redirecting to Magnitude Exploit Kit

Yahoo says it has removed the malicious ads redirecting users in Europe to domains hosting the Magnitude Exploit Kit.

The race to replace the Blackhole Exploit Kit as the web exploit pack of choice for cybercriminals seems to have an early leader in Magnitude.

Researchers at Dutch security firm Fox-IT reported over the weekend that European visitors to Yahoo were falling victim to malicious ads hosted on the site. The ads were injecting iframes onto the user’s browser and redirecting them to sites hosting Magnitude.

This is the first known major incursion redirecting to Magnitude since the takedown of Blackhole and the arrest of its alleged creator Paunch in October.

The Magnitude exploit kit targets Java vulnerabilities and installs a number of dangerous Trojans, including Zeus, Dorkbot, Necurs and a number of click-fraud malware. Fox-IT’s investigation concluded the infections started Dec. 30, possibly earlier.

Most of the victims are in Romania, Great Briatain and France; Fox-IT said it was monitoring an average of 300,000 visits per hour to Yahoo and based on an estimated infection rate of 9 percent, the company says about 27,000 infections were happening per hour.

“At this time, it’s unclear why those countries are most affected,” the company wrote on its blog. “It is likely due to the configuration of the malicious advertisements on Yahoo.”

The Washington Post reported, meanwhile, that Yahoo has removed the advertisements in question.

“Users in North America, Asia Pacific and Latin America were not served these advertisements and were not affected,” a Yahoo representative told the Post. “Additionally, users using Macs and mobile devices were not affected.”

The malicious ads were served by Yahoo from a number of domains, including two registered on Jan. 1: blistartoncom[.]org and slaptonitkons[.]net. The company advises that concerned organizations should block the 192.133.137 and 193.169.245 subnets.Those domains then redirect to a number of domains hosting Magnitude, including boxdiscussing[.]net, crisisreverse[.]net, and limitingbeyond[.]net. All of the domains, Fox-IT said, were served from a single Dutch IP address 193[.]169[.]245[.]78.

“It is unclear which specific group is behind this attack, but the attackers are clearly financially motivated and seem to offer services to other actors,” Fox-IT said, adding that Magnitude is similar to an exploit kit used in an October compromise of php.net.

Since the takedown of the Blackhole Exploit Kit shortly following the arrest of its alleged creator Paunch in Russia, cybercriminals have yet to settle on an adequate successor. The hodgepodge of exploits kits in circulation, including Magnitude, Cool, Angler, Neutrino and others, don’t have the same muscle as Blackhole. Blackhole not only was a complete catalog of webinjects and banking malware, but it was updated almost daily, and was relatively affordable with an annual license selling for around $1,500. Since Paunch’s arrest, activity from Blackhole and its cousin Cool has dwindled to almost zero, and attackers are scrambling not only for a successor, but also to recover lost revenue.

Recently, researchers at Websense reported that the keepers of the Cutwail botnet had resorted to using phishing and spam email schemes spiked with malicious attachments or links to malware downloads because of the unavailability of Blackhole. Prior, there was a heavy use of Blackhole to automatically compromise computers and install banking Trojans or other financial malware, and to a lesser extent, direct attachments. That ratio has flipped, Websense said.

“What we’ve seen post Blackhole is this immediate cutoff where the URL based attacks inside these emails declined because of the Blackhole infrastructure going down,” said Alex Watson, Websense director of security research.

As for Magnitude, Websense reported a blip where criminals were experimenting with the new exploit kit for a period of time, but then moved away. Magnitude and Neutrino, a number of researchers report, support many of the most recent exploits, but they seem to be a work in progress in terms of how they deliver redirects or exploits.

“It has to be a worthwhile business arrangement as well. When they adopt exploit kits, it’s both a mixture of the frequency of adoption to avoid security solutions and another element how quickly it is to incorporate the latest exploits,” Watson said. “The third is the cost of the business arrangement for the exploit kit and if it can be competitive with what Blackhole was before.”

Suggested articles