Microsoft Subnet An independent Microsoft community View more

Malicious ads served to hundreds of thousands of Yahoo.com visitors

Financially motivated cyber crooks attacked Yahoo.com ad servers with malware, delivering malicious payloads to about 300,000 visitors per hour.

If you visited Yahoo.com since December 30, you may be one of hundreds of thousands of visitors that served up malware via Yahoo's advertising network.

Security firm Fox IT, located in the Netherlands, sounded the alarm on Friday. "Clients visiting yahoo.com received advertisements served by ads.yahoo.com. Some of the advertisements are malicious." After analyzing a sample of traffic, the firm estimated that malicious payloads were delivered to about 300,000 visitors per hour. "Given a typical infection rate of 9%, this would result in around 27,000 infections every hour." The malicious advertisements were iframes hosted on numerous domains.

"Upon visiting the malicious advertisements, users get redirected to a 'Magnitude' exploit kit via a HTTP redirect," FOX IT warned. "This exploit kit exploits vulnerabilities in Java and installs a host of different malware including: ZeuS, Andromeda, Dorkbot/Ngrbot, Advertisement clicking malware, Tinba/Zusy and Necurs."

Mark Loman of SurfRight, a security firm located in the Netherlands, tweeted this warning and image: "Yahoo's ad[.]yahoo[.]com redirecting to exploit kit, malware."

Loman added that the firm's product HitmanPro was "detecting ads[.]yahoo[.]com backdoor. Malware starts on 5 minutes past each hour by Windows Task Scheduler."

Other anti-virus products also flagged the malware, which is still being detected on infected PCs. Timothy B. Lee wrote, "The fact that the malware targeted flaws in the Java programming environment is an important reminder that the software has become a security menace." Hopefully you disabled or uninstalled Java since it is frequently a target that has put one billion users at risk, but Lee reminded users that "security experts recommend that if your browser supports it, you should disable Java (but not JavaScript, a completely separate technology) as a precaution."

Although FOX IT did not know who was behind the attack, "the attackers are clearly financially motivated and seem to offer services to other actors. The exploit kit bears similarities to the one used in the brief infection of php.net in October 2013."

Neither security firm specifically mentioned "drive-by-download," just "upon visiting the malicious advertisements," so it is likely that users needed to clicked on the ad in order to be redirected to a site with a malicious payload. However, FOX IT compared it to the attack on php.net, which was a drive-by-download attack. As the name implies, when users surf to an infected site, there is no popup download warning asking if you'd like your computer to be infected with a malicious payload related to a botnet. The download happens in the background without any user interaction or permission for the drive-by exploit to turn the PC "into a zombie that may then be commanded to further malicious activity like spam or DDoS attacks."

Regarding the potentially related malvertising, a "cybercriminal practice of injecting malicious or malware laden advertisements into legitimate online advertising networks," Online Trust Alliance (OTA) said, "In 2012, it was estimated nearly 10 billion ad impressions were compromised by malvertising. Web sites, ad network and users need to be made more aware of the threat, as by just visiting websites that are impacted by malvertisements, users can get infected."

As of January 5, Alexa estimated that Yahoo.com gets 1.6 billion page view hits per day from about 290 million daily visitors. Of those, FOX IT said, "The countries most affected by the exploit kit are Romania, Great Britain and France. At this time it's unclear why those countries are most affected, it is likely due to the configuration of the malicious advertisements on Yahoo."

Yahoo, which has since blocked the attack, told the Washington Post:

At Yahoo, we take the safety and privacy of our users seriously. We recently identified an ad designed to spread malware to some of our users. We immediately removed it and will continue to monitor and block any ads being used for this activity.

Like this? Here's more posts:

Follow me on Twitter @PrivacyFanatic

From CSO: 7 security mistakes people make with their mobile device
Join the discussion
Be the first to comment on this article. Our Commenting Policies