Yahoo users that visited the company’s web site in the last week were gifted with malware that has been blamed on malicious advertisements that appeared on Yahoo’s site.
Yahoo has admitted to discovering the malware infection and having it removed. In a company email, Yahoo said that they take the privacy and safety of their users very seriously. They identified a malicious design in one of their ads that was meant to spread malware to Yahoo users. The ad was immediately removed by Yahoo who are now monitoring and blocking any future ads that may be designed for this type of activity.
The Dutch security firm, Fox-IT, wrote about the attack in their blog on Saturday. The attackers inserted malvertisements (malicious ads) into ads.yahoo.com servers that hijacked a user’s browser and landed them on a web site that was hosting the “Magnitude” exploit kit. The malware targets the user through various Java programming vulnerabilities and the exploit kit installs a host of different malware onto the unsuspecting user’s computer. Some of the malicious files installed included: Necurs, Tinba/Zusy, Dorkbot/Ngrbot, Andromedia, the Zeus Trojan and ad-clicking malware. Fox-IT said that the website had been showing malvertisements since approximately December 30. However, they did not rule out the possibility that the malicious ads may have appeared before that date.
Fox-IT was not able to trace the attack to any particular group, but what was clear is that they were financially motivated. One theory is that the attackers may be trying to sell their ability to control the infected computers to other cyber-criminals and malicious groups. Cyber-criminals will often use infected computers and control them as a botnet.
What makes malvertisements so dangerous is that anyone can get malware just by loading the web page into their browser. All it takes is for a user to then click on a link to infect their computer.
These types of attacks on legitimate web sites have been happening for years. Other than Yahoo getting blamed for ad malware, Spotify users were also hit with malicious ads in 2011 that were served to them by a third-party ad network. The London Stock Exchange web site also infected their visitors with ads from the same third-party network. In a Cisco survey last year, they found that users were 182 times more likely to get malware from legitimate web sites than they would from adult themed web sites.
The estimates of the number of infections were based on approximately 300,000 visitors per hour on Friday with 27,000 users per hour actually becoming infected with the malware. The countries with the biggest impact of infections were France, United Kingdom, and Romania. It is also a possibility that more users may be infected from other legitimate web sites that also use the Yahoo ad server.
It is not known how the ad made its way onto the Yahoo ad server. The attackers could have compromised and hacked their way into the server, or they may have submitted the malicious ad in normal fashion in an attempt to trick Yahoo into thinking the ad was legitimate.
Security experts recommend keeping all software on a computer up to date and everyone should install a suitable security program if they do not currently have one. Uninstalling Java or disabling the use of Java within the web browser will offer another line of defense against malware like this using any Java exploits. The attackers blamed for the Yahoo ads malware will likely continue to plant malvertisements onto legitimate sites, user beware.
By Brent Matsalla