One of the world’s largest advertising networks, YieldManager, has been serving ransomware to websites from all over the world. The malvertising campaign was first detected by Armorize’s HackAlert scanning farm.
While the websites affected are international, the exploit server itself, at the current time, is only serving malware to visitors from Germany. YieldManager is run by Right Media, which Yahoo acquired in 2007.
The malware is masquerading as crime-detection software from federal German Police, claiming that child-pornography and other illegal content has been detected on a victim’s system and that their IP address, operating system, and internet service provider have been recorded. It then locks down the computer to “prevent further abuse,” and demands 100 euro within 24 hours to unlock the computer. As with most ransomware campaigns, the threat is that all data on the computer will be deleted unless the demands are met.
The fake advertiser is kinectgames.info (Dallas), and the exploit server is running the Blackhole kit on town.incredibleoutcomes.com (Ukraine). Other affiliated malicious domains are sahoreen.in (Dallas), belyguar.in (Dallas), bundespool.net (Romania).
Among the affected websites is Ziddu.com, who, according to Amorize’s report, receives some 1.5 million daily pageviews and 364,000 visits.
For more information, screenshots, and a video detailing exactly how Ziddu was infected, check out the report over at Armorize.
