Malicious Ads from Yahoo Just the Tip of the Iceberg

Malicious Ads from Yahoo Just the Tip of the Iceberg: When Fox-IT published their report regarding malvertisements coming from Yahoo, they estimated the attack began back on December 30, 2013, while also noting that other reports indicate the attack may have begun earlier. Meanwhile, Yahoo intimated a different timeframe for the attack, claiming “From December 31 to January 3 on our European sites, we served some advertisements that did not meet our editorial guidelines – specifically, they spread malware.”

With so much uncertainty regarding this attack, Cisco TRAC decided to review what data we had to see if we could sort out some of the competing claims. Cisco Security Intelligence Operations data regarding the Yahoo incident supports the conclusion that the attack against Yahoo began on December 31. However, the malicious advertisements were just one attack in a long series of other attacks waged by the same group.

Fox-IT noted that the iframes in the malvertisements were redirecting visitors to various domains hosted on IP 193.169.245.78. Specifically called out in the blog are the following Indicator of Compromise (IoC) domains:

boxsdiscussing.net
crisisreverse.net
limitingbeyond.net
and “others”
When Cisco TRAC searched for hosts present in the 193.169.244.0/23 netblock (to which the IP 193.169.245.78 observed by Fox-IT belongs), we found a large cache of 21,971 hostnames from 393 different domains that fit the exact same pattern as the domains used in the malicious ads on Yahoo: All domains have hostnames that begin with the a series of numbers, contain two to six cryptic subdomain labels in the middle, and end with two random words in the second level domain label, often sharing a common Top Level Domain (TLD).