Thousands of Yahoo users faced malware attacks for the last few days, reported a security internet firm. The firm, Fox-IT, suggested that several malicious parties hijacked the Yahoo servers for their own benefit. Whenever a visitor enters the Yahoo domain, they receive certain Yahoo ads which redirect the user to a malicious exploit kit called “Magnitude.”
According to the data of the security firm, 300,000 users were visiting the malware ads and 9 percent of systems were infected. The attack epicenters are Romania, Great Britain, and France; however it can affect any machine which visits the above mentioned sites.
Upon clicking the ads, viewers are redirected via iFrame, and exposed to an HTTP service. Some of those websites are blistartoncom.org, yagerass.org, original-filmsonline.com, and funnyboobsonline.org. When the visitor reaches these websites, the HTTP service redirects it to random sub domains.
Some of the sub domains are boxdiscussing.net, crisisreverse.net, and limitingbeyond.net. These sub domains resolve to a single IP address whose port number is “18.104.22.168“. The rate of visitors hitting this IP has been calculated to be 300K/hour as reported by Fox-IT. The Yahoo Corporation’s spokeswoman has confirmed that they identified a malware ad and removed it immediately upon discovery. She said, “At Yahoo, we take the safety and privacy of our users seriously.” Fox-IT has been monitoring the visits to the malware site and they confirmed the reduction of malware attacks, but the attacks have not fully stopped. Yahoo users may have faced the malware attack, but evidently the billion dollar corporation recovered.
The Netherlands-based internet security firm suggested that Yahoo users block the IP addresses of 193.169.245/24 sub-net and 192.133.137/24 sub-net and hinted that the attackers are “financially motivated.” Malware is a very sneaky infection because as soon as the user hits the website, the malware gets into the user’s system. This is because malwares can be uploaded to the front-end user by just loading simple websites. A Dutch malware analyst called Mark Loman also confirmed the malware attack via his twitter post.
The “Magnitude” exploit kit’s IP appears to be hosted in Netherlands. Along with the redirection of users to malware sites, it exploits certain weaknesses of Java to install several other malware infections such as ZeuS, Andromeda, Tinba, Necurs, and Dorkbot. There are some plugins of Java language, which have lost the popularity among the genuine developers; hence the unscrupulous hackers made it their target.”
The malware attack could have been caused by two possible scenarios. The malicious ads could have been disguised as a genuine ad and then bypassed the Yahoo authentication, or it could have been introduced by hacking the Yahoo network.
The Yahoo users were getting infected since Dec. 30, but it was not detected. As soon as the Netherlands Security Agency detected the malware, the information went viral over the internet. The firm also suggested disabling the Java from the browser of every machine as a precautionary measure. Users of Yahoo should be pro-active to follow the instructions given above to stop the malware attack.
By Sunando Basu