Thousands Infected By Malicious Ads On Yahoo

Thousands of visitors to the Yahoo.com website have been hit by malicious ads, pointing them to downloads of the prevalent Magnitude exploit kit, which attempts to drop malware on victims’ machines.

Security firm Fox-IT investigated infections of a number of its clients, finding Yahoo’s ad platform was supporting malicious iframes served up from five different domains. The attacks date back to at least 30 December.

It is believed thousands will have been infected. “Based on a sample of traffic we estimate the number of visits to the malicious site to be around 300k/hr. Given a typical infection rate of 9 percent this would result in around 27.000 infections every hour,” the security company said in a blog post.

Yahoo attack: Brits hit hard

British users were hit badly, with 23 percent of infections based in Great Britain. French and Romanians were also heavily impacted. “At this time it’s unclear why those countries are most affected, it is likely due to the configuration of the malicious advertisements on Yahoo,” Fox-IT said.

“It is unclear which specific group is behind this attack, but the attackers are clearly financially motivated and seem to offer services to other actors. The exploit kit bears similarities to the one used in the brief infection of php.net in October 2013.”

The Magnitude exploit kit attempts to chuck all kinds of malware on to a victims’ system, including the prevalent banking Trojan Zeus and the Andromeda backdoor. Magnitude has become more prevalent since the demise of the Blackhole exploit kit, following the arrest of its alleged author Paunch.

The Yahoo attacks have been linked back to a single IP address – 193.169.245.78 – hosted in the Netherlands.

Yahoo said it had removed the bad ads. The attacks appear to have affected Windows users only.

“From 31 December to 3 January on our European sites, we served some advertisements that did not meet our editorial guidelines – specifically, they spread malware,” a Yahoo spokesperson said.

“On 3 January, we removed these advertisements from our European sites. Users in North America, Asia Pacific and Latin America were not served these advertisements and were not affected.  Additionally, users using Macs and mobile devices were not affected.”

Are you a security expert? Try our quiz!