An investigation by Cisco systems into the cyberattack that infected Yahoo users with malware appears to show links between the attack and a traffic-pushing scheme in Ukraine.
Yahoo said on Sunday that users in Europe were served malicious advertisements between December 31 and January 4. If clicked, the ads directed users to websites that then attempted to install malicious software.
Cisco has discovered that the websites victims landed on are linked to others that have been used in ongoing cyberattacks. Jaeson Schultz, a threat researcher at Cisco, says that the scheme is part of a far larger one aimed at delivering people directly to malware sites.
Most of the malicious domains redirect to two other domains that process data for an affiliate program called 'Paid-To-Promote.net'. People who sign up for the program are paid fees to push traffic to other websites.
It wasn't clear whether that program is directly linked to the Yahoo attack, but Paid-To-Promote.net's site gives the impression that "anything goes," Schultz said in a blog post.
The group behind the scheme seems to be attempting to infect legitimate websites with code that redirects them to malicious domains. The group are then paid depending on how much traffic they bring. Someone involved with the website managed to insert malware advertising into Yahoo's network that directed hundreds of thousands to websites that Paid-To-Promote wanted.
The high traffic to Yahoo's site means more people saw the malicious advertisements, which meant a higher rate of infection.
The malicious advertisements redirected people to domains hosting the 'Magnitude' exploit kit, which tests to see if a computer has software vulnerabilities in the Java application framework.