Score one — or rather, score hundreds of millions — for the bad guys this week.

Hackers managed to infect what is likely one billion or more online users in two separate attacks, both of which used a Microsoft product to lure in unsuspecting victims.

In one instance, a Microsoft Azure page was used to redirect traffic to an infected site in a massive malvertising campaign that involves Yahoo advertising.

Separately, there is an email scam circulating in which potential victims are offered a free Windows 10 upgrade courtesy of Microsoft. Spoiler alert: it's not free and it's not from Microsoft.

Let's start with the malvertising attack, which is the more insidious event because of the ease at which the attack can happen and disable the computer of even the best prepared and tech-savvy.

Yahoo Under Attack

On Sunday Malwarebytes Labs uncovered a large malvertising attack on Yahoo's advertising network.

Working backwards, the security firm concluded the attack had started on July 28.

Malwarebytes reached out to Yahoo that day and, to its credit, Yahoo began taking steps to shut down the attack, Jerome Segura, senior security researcher at Malwarebytes Labs, told CMSWire.

"Kudos for them for responding very quickly," he said. "Not all ad companies take that level of care or give you a response."

Of course, not all ad companies have Yahoo's instantly recognizable brand name to protect.

Still, its efforts were successful — in short order the malware attack had been blocked.

Unfortunately some 890 million users could have been exposed to the malware over the four days, per data from SimilarWeb that estimates the site receives an estimated 6.9 billion visits per month.

The malware is associated with the Angler exploit kit, Segura said.

Why This Is Bad

In general, exploit anything is a scary thing.

Otherwise known as drive-by downloads, they invisibly direct a user’s browser to a malicious website that hosts an exploit kit. "The entire process can occur completely invisibly, requiring no user action," writes Fraser Howard at Sophos in this post outlining the dangers of the Angler exploit.

In other words, users don’t have to click on the ad to be infected.

The malware goes on autopilot, so to speak, if the user happens to navigate onto an infected page.

And, in the case of malvertising, almost any page can be infected — even the most reputable ones, such as a news site.

That is due to the structure of the online advertising industry, which distributes ads via several networks and uses technology such as real-time bidding to facilitate the process as quickly as possible.

Look Out Azure

Microsoft Azure had an unwelcome, unwitting — and recurring, unfortunately — role to play in this mess.

Its webpage was used as part of the redirection process to the exploited page, Segura said. This is not the first time hackers have used the page in a malvertising attack, he added.

Still, it is unusual for a highly prominent site to be used as a redirector, he continued.

But he can see why the page was hijacked — it uses HTTPS, which means the traffic is encrypted.

"Advertisers can see there is ad traffic redirected to the Azura website and then they can't see beyond that because of the encryption. The hackers are using Microsoft's cloud infrastructure for their own purpose to take and redirect traffic," he said.

A Microsoft spokesperson said the company "took immediate steps to shut down the malicious site" as soon as it was notified. "When we identify misuse of the service that violates the Azure Acceptable Use Policy, such as the distribution of malware, we quickly take action," the spokesperson continued.

Unfortunately, there are still untold hundreds of millions of computer users infected probably unknowingly. The malware could have been anything including ransomware, Segura said.

Email Scam Promises Win10 Upgrade

The second malicious event involving Microsoft is an email scam that is circulating, urging consumers to download software for their "free" Windows upgrade. Cisco Security’s Talos researchers discovered it at the start of the month.

"This threat actor is impersonating Microsoft in an attempt to exploit their user base for monetary gain," according to the blog. "The fact that users have to virtually wait in line to receive this update, makes them even more likely to fall victim to this campaign."

There's no waiting, though, to see what the hackers cooked up. Once the victim downloads the file, a ransom payload is delivered.

Simple to Spot

As far as malware goes, though, this scam should be easy to spot if the user knows where to look on the email.

The email header, for instance, reveals that the message actually originated from IP address space allocated to Thailand, Cisco threat researchers Nick Biasini, Craig Williams and Alex Chiu wrote.

In addition, there are a couple of red flags associated with the text of the email, they added. There are "several characters that don’t parse properly. This could be due to the targeted audience, a demographic using a non-standard character set, or the character set the adversaries were using to craft the email," they explain.

The Scary Rise of Malvertising

There is little way for a user to protect himself against malvertising, though, and as noted above, it could happen to anyone visiting, say CBS News's website.

In fact, it probably did happen to people visiting that site, along with several other news organizations' web pages, according to a report by Bromium.

It reported recently that malicious advertising has been on the rise for some time now and lately "malicious advertisements from news media and entertainment websites make more than half of the attacks."

New sites mentioned in the report included,,,,,,,,, and

Separately, a report from RiskIQ validates the huge growth in malvertising.

Released this week at Black Hat USA 2015, it said that in the first half of this year the number of malvertisements rose 260 percent compared to the same period in 2014. Also, the sheer number of unique malvertisements has climbed 60 percent year over year, it found.

"The major increase we have seen in the number of malvertisements over the past 48 months confirms that digital ads have become the preferred method for distributing malware," said Elias Manousos, CEO and co-founder of RiskIQ.

Tailored Malware

"There are a number of reasons for this development, including the fact that malvertisements are difficult detect and take down since they are delivered through ad networks and are not resident on websites," Manousos added.

"They also allow attackers to exploit the powerful profiling capabilities of these networks to precisely target specific populations of users."

Oh yes, Segura mentioned that as well. In many ways that's the ultimate beauty of malvertising, at least from a hacker's perspective, he said.

"These ads are being targeted to users based on demographics and income groups. So the hackers can tailor their malware to those groups as well."

Creative Commons Creative Commons Attribution-No Derivative Works 2.0 Generic License  Title image by hans s.