As the Snapchat and Target breaches continue to make headlines, a serious Yahoo malware attack has, in my opinion, been underreported. Maybe it was because it happened in Europe so it is just a blip on the American security radar? Or maybe it doesn’t generate the same kind of panic or outrage that revealing credit card information or phone numbers does? I don’t know. I can’t explain it. What I do know is that the type of attack Yahoo is dealing with could be devastating to a corporate network.
According to SearchSecurity:
The Internet security firm Fox-IT reported the malware infection Jan. 3, which involved malicious ads being served by ads.yahoo.com using cross-site scripting. The iframes were directed to infected files on non-Yahoo servers.
Oscar Marquez, chief product officer at Total Defense, explained to me in an email that the methodology used in the recent Yahoo attack is not new, but what makes this attack different is the scope of the infection. Marquez explained:
There was no user interaction needed for the exploit to be downloaded. Simply visiting a page with an infected ad could have resulted in infection. The infected files used were previously known forms of malware, so any up-to-date, endpoint protection should have detected and prevented the infection. Any unprotected systems that were served an infected ad were likely infected. It is absolutely imperative that all users have some form of endpoint protection installed.
In this case, he added, Yahoo itself did not need to be infected. The ads being served from another server were infected. And any website serving ads is susceptible to a similar exploit, and these can happen at any time. Since this type of infection can happen in a moment to the billions of Web pages that exist today and to the billions of Web pages that will be created in the future, URL filtering will not provide any useful security against these types of threats.
So how do you protect your network? According to Marquez, companies need a Web security system that scans the traffic for malicious activity before it reaches the end user. Having a system in place allows an administrator to keep attacks like this from infecting user machines. Marquez also said:
A Web server can be compromised at any moment, and as seen here, the website itself doesn’t even have to be compromised. The criminal enterprises behind today’s malware want to infect as many systems as possible. The more systems they can infect, the greater their profit will be. So I believe that they will use this iframe attack type again in the future, because it has proven to work.
But don’t just worry about protecting the server, BeyondTrust Chief Technology Officer Marc Maiffret told me. Instead, you have to remember what a liability employees can be to network security. Maiffret said:
It doesn’t matter who or what your business is but simply having employees that are browsing the Internet can cause your systems to be compromised. This is yet another good example of companies needing to do the most basic security precautions around identifying vulnerabilities, patching their systems and reducing privileges. These three things can make a world of difference in an attack like this leading to your organization being compromised or not and at what level.