Malvertising (Malicious Advertising): Thousands of visitors served!

January 06, 2014 by Brad Garnett

This recent Washington Post article caught my attention and I wanted to share additional information with our blog readers.

The internet can be described as a network of networks. Well, what does that mean? It means, that if a computer or device has an internet connection it is either directly or indirectly connected to every other computer network that makes up ‘the web’.

Advertisers pay websites to advertise their product or service to you. The more impressions or clicks that an advertisement receives, the higher the revenue the website generates, for serving that advertisement on its website. There is a reason why large websites and social media sites are FREE. Remember, if you are not a paying customer you are the product, not the consumer.

Large search engines and social media websites are generally free for the popular service they offer. Many, offer paid or premium services that require a user to register and complete payment process (this would be where you transition from being the product to the paying customer). Have you ever downloaded a smartphone application where the ‘lite’ version is free and the full version you have to purchase? A lot of smartphone app developers release a light (‘lite’), free version because it is ‘supported’ by advertising revenue. Sound familiar? Today, there are many large advertising web companies that specialize in web advertising. If a high traffic volume website would like to increase revenue, selling “white space” on their webpages is a good way to generate revenue to offset costs, associated with the maintenance and upkeep of their website.

And, I am sure you know how the rest of the story goes…yes, what a better way to deliver malware payloads than through a web advertising service where visitors have no idea they are downloading various malware; that is capable of stealing login credentials, starting a DOS (denial of service) attacks, spreading via USB drives, social media sites, and even instant messaging programs! Yes, this type of attack was recently detected a few days ago and primarily affected international users.

In this particular case, a Netherlands based, IT security firm identified Yahoo’s advertising server (ads-dot-yahoo-dot-com), that as of December 30, 2013, but could have began earlier, was serving up malware that affected up to 27,000 users per hour. The attack appears to be just targeted on Windows desktop systems. Romania, United Kingdom, and France appear to be the most affected by this malware attack. Yesterday, Yahoo released a statement saying that Mac and mobile users in North America were not affected by this malware attack, which is good news for U.S. users.

While this attack appears to not have affected users in the U.S., it is important to understand how this type of malware attack occurs. This malware was able to disguise itself as a legitimate advertisement on Yahoo’s advertising servers. When a visitor went to a webpage that contained an advertisement that was hosted on this Yahoo server, the malware used a Java exploit to deliver the malware payload to the local user’s PC.


This graphic below (Figure 1) illustrates what web servers establishes a network connection with to load the homepage, which could be code, text, images, advertising, etc. when it communicates with a particular web server.  As you can see, Yahoo’s advertising server ( is being called when a user visits

(Figure 1)

There are thousands, if not hundreds of thousands, of websites that communicate with Yahoo’s advertising server, so any website that was communicating with the Yahoo advertising server could’ve been the gateway to delivering the malware payload to a user’s PC. Figure 1 simply illustrates a visit to via a web browser. During your visit session, you do not see these network connections and other traffic that are occurring behind the scenes. This is why this type of malware attack can infect so many computer systems in a short amount of time before detection occurs.

If you were to open a malicious e-mail attachment and a malware infection occurs, later in back of your mind you are saying, “It’s probably because I opened that e-mail attachment and I shouldn’t have.” You know what action you took to fall victim to the malware. However, in this particular malicious advertising attack (malvertising), you probably would not know what action caused the initial malware infection. As a user, the good news is there are some things you can do to block advertising, such as installing a browser extension via your favorite web browser. Do you own, or manage a business? There are some things you can do to protect yourself and your business from these types of attacks.

Well, just as I stated here and here there does not appear to be a slowdown in malware attacks and 2014 appears to be off to fast start. If you have questions on securing your computer infrastructure or developing a focused, IT security business plan that is customized to your business needs, please contact us.

Brad Garnett, CCE®, GCFA is a Digital Forensic Consultant with Kemper Technology Consulting, a division of Kemper CPA Group LLP.  Prior to joining the Kemper team, Garnett spent the last decade in law enforcement, where he specialized in digital forensics. If you have a situation where forensic technology is needed to help you find an answer or make a tough business decision, please contact Brad at 812-421-8000.

Kemper CPA Group LLP publications should not be construed as legal advice or legal opinion on any specific facts or circumstances. The content is intended for general informational purposes only. You are urged to consult your own advisor on any specific legal questions concerning your situation.


Have a question or need more information? Talk to us today about what we can do for your business.

Contact Us »


Join our mailing list to keep up with the latest technology services and trends.