A new report details the possibility that hundreds of thousands of visitors to Yahoo may have been exposed to malware advertisements. The activity was first discovered on Jan. 3 and involved several hosted ads, served by ads.yahoo.com.
Fox-IT, an Internet security firm, discussed the malware attack on its blog. “On Jan. 3 we detected and investigated the infection of clients after they visited yahoo.com,” said Fox-IT.
Not all of the advertisements delivered by ads.yahoo.com are malicious but several malware ads were detected, redirecting users to a “Magnitude” exploit kit that installed several malware files. Per Fox-IT, “This exploit kit exploits vulnerabilities in Java and installs a host of different malware including ZeuS, Andromeda, Dorkbot/Ngrbot, Advertisement clicking malware, Tinba/Zusy and Necurs.”
As described by Fox-IT, the user sees an iframe ad. The malicious redirects the visitor to one of several domains and the malware is then served from one IP address.
The Internet security firm says the first infections occurred on Dec. 30 although the Yahoo malware ads may have started prior to that date. Fox-IT estimates 300,000 visits to this malware site per hour, leading to 27,000 infections every hour with Great Britain, France and Romania being the most affected countries.
Fox-IT recommends blocking the IP addresses 192.133.137/24 subnet and 193.169.245/24 subnet. Yahoo has since responded to the threat and Fox-IT notes traffic to the malware exploit kit has decreased. “The attackers are clearly financially motivated and seem to offer services to other actors,” said the security firm, which means the group behind the malware would sell access to infected computers to other groups.
It is unclear who is responsible for the malware ads but the Washington Post describes two possible scenarios that could have led to the malware attack. Ashkan Soltani, a security researcher speaking to the Post, said the malware ads could have been delivered via the hacking of an ad network or the malware could have been disguised as a normal ad and managed to bypass Yahoo’s security system. A spokeswoman for Yahoo said they discovered a malicious ad and have removed it, notes the Washington Post.