When Fox-IT published their report regarding malvertisements coming from Yahoo, they estimated the attack began on December 30, 2013, while also noting that other reports indicated the attack may have begun earlier. Meanwhile, Yahoo intimated a different timeframe for the attack, claiming “From December 31 to January 3 on our European sites, we served some advertisements that did not meet our editorial guidelines – specifically, they spread malware.”
With so much uncertainty regarding this attack, Cisco TRAC decided to review what data we had to see if we could sort out some of the competing claims. Cisco Security Intelligence Operations data regarding the Yahoo incident supports the conclusion that the attack against Yahoo began on December 31. However, the malicious advertisements were just one attack in a long series of other attacks waged by the same group.
Fox-IT noted that the iframes in the malvertisements were redirecting visitors to various domains hosted on IP 126.96.36.199. Specifically called out in the blog are the following Indicator of Compromise (IoC) domains:
- and “others”
When Cisco TRAC searched for hosts present in the 188.8.131.52/23 netblock (to which the IP 184.108.40.206 observed by Fox-IT belongs), we found a large cache of 21,971 hostnames from 393 different domains that fit the exact same pattern as the domains used in the malicious ads on Yahoo. All domains have hostnames that begin with the a series of numbers, contain two to six cryptic subdomain labels in the middle, and end with two random words in the second-level domain label, often sharing a common Top Level Domain (TLD).
It is interesting to note that many of these domains were in use before the incident at Yahoo. Network administrators may wish to download a copy of the domain list, and check their network logs for evidence of traffic going to any of these malicious domains. Because these malicious domains originate from different IP addresses within the 220.127.116.11/23 netblock (not just 18.104.22.168), and because we still see activity for these domains as recently as January 9, 2014, Cisco TRAC advises network administrators to block this entire range of IP addresses.
Rather than presenting an exploit kit, our data shows that most of the time these malicious domains present the visitor with an HTTP response code 302 redirect to the domains ptp22.com or ptp33.com. Both ptp22.com and ptp33.com domains process data for a pay-per-click affiliate program run by an organization called Paid-To-Promote.Net.
I signed up for a test account at Paid-To-Promote.Net to have a peek at the code they generate for placement on web pages. The affiliate links are identical --except of course for the userid that is being paid for the traffic.
By checking the Referer information from the requests to the malicious domains at 22.214.171.124/23, it appears that typically this group operates by infecting websites with the aim of planting HTML code on the site, which directs the site’s visitors to one of the malicious domains. The malicious domains then provide a 302 redirect that generates paid traffic via the Paid-To-Promote.Net affiliate program, in effect monetizing traffic from the victimized websites.
This is not the first time either. By looking for traffic to the affiliate program, we were able to identify some older domain infrastructure inside 126.96.36.199/24, which appears to have been used by the same group for the same purpose, beginning on November 28, 2013 and continuing well into early January. Blocking this IP range may also be a good idea as there is no way to know whether this group has plans to spin up additional domains using the same IP infrastructure.
For the protection of our customers, the domains mentioned in this post are all being blocked by Cisco. Thanks to Gregg Conklin, Mary Landesman, and Seth Hanford for their assistance with this post.