The cyber attack that infected mainly Europe users of Yahoo with malware appears to show a link between the attack and a suspicious affiliate traffic-pushing scheme with roots in Ukraine, researchers said.
Yahoo said European users ended up served malicious advertisements between Dec. 31 and last Saturday. If clicked, the advertisements directed users to websites that tried to install malicious software.
The malicious websites victims landed on link to hundreds of others used in ongoing cyber attacks, said Jaeson Schultz, a threat research engineer at Cisco Systems.
Schultz looked at domains hosted within a large IP block Yahoo victims ended up directed to, finding 393 others that matched a pattern.
The malicious domains all start with a series of numbers, contain between two and six cryptic subdomain labels and end with two random words in the second-level domain, according to Schultz’s Cisco’s blog. Some of the domains were still active as of Thursday.
The domains appear to be part of a scheme designed to direct people to malware, Schultz said. The group behind the scam appears to infect legitimate websites with code that redirects people to those malicious domains.
Most of the malicious domains redirect to two other domains that process data for an affiliate program called Paid-To-Promote.net. People who sign up for the program are paid fees to push traffic to other websites.
It wasn’t clear whether program directly links to the Yahoo attack, but Paid-To-Promote.net’s site gives the impression that “anything goes,” Schultz said.
Further research into the affiliate program’s traffic traced it back to other domains used for suspicious purposes, going back to Nov. 28. Some domains are in Ukraine and others in Canada.