Malware strikes thousands of Yahoo users via poisoned adverts

PoisonDutch security firm Fox IT has warned of a malware attack which has been hitting many thousands of internet users since at least December 30th.

Visitors to the Yahoo website see adverts served up by ads.yahoo.com, and it was some of those which were malicious.

The warning from Fox IT estimates that a site involved in the malware attack was receiving 300,000 visits per hour from potential victims, with Romania, Great Britain and France most affected.

However, it wouldn’t be wise for anyone outside of these countries who visited Yahoo to imagine that they are somehow immune from the attack.

Infection by country. Source: Fox IT

Infection by country. Source: Fox IT

And, of course, because it was Yahoo’s ad network that was affected, it’s possible the malicious ads showed up on third party sites which aren’t owned by Yahoo.

If you were unfortunate enough to have been exposed to the attack, your computer could have been struck by the Magnitude Exploit Kit, where an attempt would have been made to exploit Java vulnerabilities on your computer.

This, in turn, would attempt to install a variety of financially-motivated malware according to Fox IT, including:

  • ZeuS
  • Andromeda
  • Dorkbot/Ngrbot
  • Advertisement clicking malware
  • Tinba/Zusy
  • Necurs

If you needed another reason to disable Java in your computer’s browser (note: Java is not the same thing as JavaScript) then there you have it.

The malicious ads were delivered in the form of iFrames hosted on the following domains:

  • blistartoncom.org (192.133.137.59), registered on 1 Jan 2014
  • slaptonitkons.net (192.133.137.100), registered on 1 Jan 2014
  • original-filmsonline.com (192.133.137.63)
  • funnyboobsonline.org (192.133.137.247)
  • yagerass.org (192.133.137.56)

One piece of good news amongst all this mess, is that Yahoo appears to be aware of the issue and taking steps to counter it.

According to Fox IT, traffic to the exploit kit significantly decreased on Friday evening.

Consumers need to keep their anti-virus updated, and their applications patched (or – if possible in Java’s case – disabling entirely in the browser) in order to reduce the chances of being hit by a malvertising attack.

It’s worth remembering that malicious adverts can strike you through completely legitimate websites. Long gone are the days when you had to be browsing shady areas of the net to stumble across something malicious.

Yahoo right now should be taking a long hard look at how it could have better protected its ad stream, making it harder for online criminals to ride on the back of its ad network in future.

Read more in Fox IT’s blog: Malicious advertisements served via Yahoo

Also check out HitManPro’s blog, where they explore the malware spread by the attack in greater detail.

Tags: , , , , , , , , ,


, , , , , , , , ,

3 Responses

  1. Gilbert Dion 3 January 5, 2014 at 3:51 pm #

    Funny, I sent a link to this article by email to a friend who has an email account with Yahoo! and it was refused by Yahoo servers for «policy reasons». This is not the first time i see mails to Yahoo accounts being falsely rejected for those reasons.

    • paul b 1 January 5, 2014 at 8:17 pm #

      it may relate to the IP addresses and domains in the
      article rather than the critical commentary. Personally
      I'm most surprised that it took third parties as long as
      it did to catch it – web sense in particular used to do very good
      research on this kind of thing

  2. Sek 1 January 6, 2014 at 4:53 pm #

    Or, you know, get an ad-blocker…

Leave a Reply

XSLT by CarLake