Skip to main content

Fake Ads on Yahoo, AOL Deliver File-Locking Malware

Credit: Lightspring/Shutterstock

(Image credit: Lightspring/Shutterstock)

The nasty CryptoWall malware is making a comeback — and it's spreading via even more online ad networks. This latest in a spate of "malvertising" campaigns put CryptoWall in ads on at least 22 trusted websites, including Match.com and several Yahoo and AOL domains. Users don't have to click on the fake advertisements to become infected.

It's a double whammy for Internet users. CryptoWall is encrypting ransomware, capable of locking users out of their own personal files unless they agree to pay ransoms to the cybercriminals controlling the malware. Malvertising — spreading malware via infected ad networks — is quickly growing and can prove difficult to detect or prevent.

MORE: 10 Best Ad Blockers and Privacy Extensions

The CryptoWall malvertising campaign began in late September and ended around mid-October, according to Sunnyvale, California-based security company Proofpoint. (It may be linked to an earlier CryptoWall malvertising campaign.) Over three million users per day were potentially affected by the malware, Proofpoint estimated in a report

If you visited an affected Web page and a malicious ad happened to load in your browser, an Adobe Flash script would then deliver an exploit kit, a Swiss Army knife of malware designed to seek out security flaws in your browser. If the exploit kit found a flaw, it would trigger a drive-by download to install the CryptoWall malware on your computer.

Once CryptoWall is up and running on a Windows PC, it encrypts documents on the hard drive, then notifies the user that the files are being held for ransom. Pay a fee by the deadline, and the criminals (allegedly) hand over the encryption keys, allowing you to regain access. Refuse, and your files are essentially lost. 

Proofpoint estimates that the criminals behind this latest campaign earned $25,000 per day while it was active.

"As for the unfortunate victims, payment is no guarantee that the end-user will regain access to their system, and even if they do the attacker may remain effectively in control of it, which is why security best practices generally recommend against payment and advise instead to clean the system, if possible, and if necessary recover from a clean backup," Proofpoint writes.

The full list of affected websites spans the globe: Yahoo! Finance, Fantasy and Sports; AOL; The Atlantic; the American user-content upload site 9GAG; Match.com; The Sydney Morning Herald; RealEstate.com.au; the Australian newspaper The Age; Stuff.co.nz; the French business-information site Societe.com; the Dutch video-upload site Dumpert; the Russian online-dating site Flirchi; Weatherzone Australia; Brisbane Times; RSVP Australia; The Canberra Times; the multinational city guide Time Out; The Beacon-News of Aurora, Illinois; the Mexican tech-business site Merca2.0; the Japanese auto-fan site Clicccar; iPhone for Hong Kong; and Noticias Argentinias.

Malvertising is especially effective because the websites hosting the malware can do so little to prevent it. Yahoo, Match.com and AOL were not  themselves infected or compromised; instead, the malware arrived via one of the dozens of automated ad networks that instantaneously bid behind the scenes to display advertisements on each and every newly displayed Web page. 

There are a couple of ways you can reduce your risk of being hit by CryptoWall. First, make sure your browser and operating system are all up to date with the latest security patches. This will make it hard for the exploit kits to find a way into your computer's defenses.

Second, make sure you have a robust antivirus product installed, one that will scan newly loaded Web pages for malware and accordingly block malicious pages. The antivirus software should update its known-malware definitions list at least once a day.

You could also consider using an ad blocker or a plug-in that disables JavaScript on your browser. But remember that most websites depend on ads four their income and would go out of business if everyone used this method.

Jill Scharr is a staff writer for Tom's Guide, where she regularly covers security, 3D printing and video games. You can follow Jill on Twitter @JillScharr and on Google+. Follow us @tomsguide, on Facebook and on Google+.