Malware strikes thousands of Yahoo users via poisoned adverts

Graham Cluley
Graham Cluley
@[email protected]

PoisonDutch security firm Fox IT has warned of a malware attack which has been hitting many thousands of internet users since at least December 30th.

Visitors to the Yahoo website see adverts served up by, and it was some of those which were malicious.

The warning from Fox IT estimates that a site involved in the malware attack was receiving 300,000 visits per hour from potential victims, with Romania, Great Britain and France most affected.

However, it wouldn’t be wise for anyone outside of these countries who visited Yahoo to imagine that they are somehow immune from the attack.

Sign up to our free newsletter.
Security news, advice, and tips.
Infection by country. Source: Fox IT
Infection by country. Source: Fox IT

And, of course, because it was Yahoo’s ad network that was affected, it’s possible the malicious ads showed up on third party sites which aren’t owned by Yahoo.

If you were unfortunate enough to have been exposed to the attack, your computer could have been struck by the Magnitude Exploit Kit, where an attempt would have been made to exploit Java vulnerabilities on your computer.

This, in turn, would attempt to install a variety of financially-motivated malware according to Fox IT, including:

  • ZeuS
  • Andromeda
  • Dorkbot/Ngrbot
  • Advertisement clicking malware
  • Tinba/Zusy
  • Necurs

If you needed another reason to disable Java in your computer’s browser (note: Java is not the same thing as JavaScript) then there you have it.

The malicious ads were delivered in the form of iFrames hosted on the following domains:

  • (, registered on 1 Jan 2014
  • (, registered on 1 Jan 2014
  • (
  • (
  • (

One piece of good news amongst all this mess, is that Yahoo appears to be aware of the issue and taking steps to counter it.

According to Fox IT, traffic to the exploit kit significantly decreased on Friday evening.

Consumers need to keep their anti-virus updated, and their applications patched (or – if possible in Java’s case – disabling entirely in the browser) in order to reduce the chances of being hit by a malvertising attack.

It’s worth remembering that malicious adverts can strike you through completely legitimate websites. Long gone are the days when you had to be browsing shady areas of the net to stumble across something malicious.

Yahoo right now should be taking a long hard look at how it could have better protected its ad stream, making it harder for online criminals to ride on the back of its ad network in future.

Read more in Fox IT’s blog: Malicious advertisements served via Yahoo

Also check out HitManPro’s blog, where they explore the malware spread by the attack in greater detail.

Graham Cluley is an award-winning keynote speaker who has given presentations around the world about cybersecurity, hackers, and online privacy. A veteran of the computer security industry since the early 1990s, he wrote the first ever version of Dr Solomon's Anti-Virus Toolkit for Windows, makes regular media appearances, and is the co-host of the popular "Smashing Security" podcast. Follow him on Twitter, Mastodon, Threads, Bluesky, or drop him an email.

3 comments on “Malware strikes thousands of Yahoo users via poisoned adverts”

  1. Funny, I sent a link to this article by email to a friend who has an email account with Yahoo! and it was refused by Yahoo servers for «policy reasons». This is not the first time i see mails to Yahoo accounts being falsely rejected for those reasons.

    1. paul b · in reply to Gilbert Dion

      it may relate to the IP addresses and domains in the
      article rather than the critical commentary. Personally
      I'm most surprised that it took third parties as long as
      it did to catch it – web sense in particular used to do very good
      research on this kind of thing

  2. Sek

    Or, you know, get an ad-blocker…

What do you think? Leave a comment

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.