Malware served through Yahoo advertisements

Dutch security firm Fox IT discovered an ongoing malware-based attack that hit thousands of Yahoo users via malicious ads. Users are alerted.

Since the December 30th Yahoo website is proposing a malicious ad that was serving a malware, the discovery was made by Dutch security firm Fox IT.

Visitors to the Yahoo website see the advertisements served up by ads.yahoo.com, but unfortunately hackers have exploitined it to serve malicious contents.

It is still unknown who is behind the attack, but the hackers are clearly financially motivated, according other investigator probably they are offering services to other criminal gangs selling victim’s credential on the black market or renting infected host controlled by them.

Of course the impact of malware-based attacks via a so popular portal is considerable serious, Fox IT estimated that the website used for the attack was receiving nearly 300,000 visits per hour, visitors most affected are located in Romania, Great Britain and France.

“Given a typical infection rate of 9% this would result in around 27.000 infections every hour.”

The post on Fox IT reports that “Those malicious advertisements are iframes hosted on the following domains”:

blistartoncom.org (192.133.137.59), registered on 1 Jan 2014
slaptonitkons.net (192.133.137.100), registered on 1 Jan 2014
original-filmsonline.com (192.133.137.63)
funnyboobsonline.org (192.133.137.247)
yagerass.org (192.133.137.56)

Upon visiting the malicious advertisements users get redirected to a “Magnitude” exploit kit via a HTTP redirect to seemingly random subdomains of:

boxsdiscussing.net
crisisreverse.net
limitingbeyond.net
and others

“All those domains are served from a single IP address: 193.169.245.78. This IP-address appears to be hosted in the Netherlands.” states Fox IT.

Magnitude exploit kit was very common, it was used for the recent attacks against PHP.net website and against the on-demand Internet streaming media NetFlix.

Magnitude kit exploits vulnerabilities in Java and serve on the victim’s machine any kind of malware including:

ZeuS
Andromeda
Dorkbot/Ngrbot
Advertisement clicking malware
Tinba/Zusy
Necurs

Yahoo is aware of the ongoing malware attack and is taking necessary countermeasures to stop it in fact traffic to the server hosting the malicious exploit is decreasing since Friday evening. The hope is that Yahoo in the future will be able to protect the entire data flaw also related to third parties sites that propose ads through its channel. Meantime users need to keep their systems updated and install defense mechanisms, only following this couple of suggestions they could reduce the risk to be infected by a malware.

Pierluigi Paganini

(Security Affairs – malware, Yahoo ads)

Pierluigi Paganini

Pierluigi Paganini is member of the ENISA (European Union Agency for Network and Information Security) Threat Landscape Stakeholder Group and Cyber G7 Group, he is also a Security Evangelist, Security Analyst and Freelance Writer. Editor-in-Chief at "Cyber Defense Magazine", Pierluigi is a cyber security expert with over 20 years experience in the field, he is Certified Ethical Hacker at EC Council in London. The passion for writing and a strong belief that security is founded on sharing and awareness led Pierluigi to find the security blog "Security Affairs" recently named a Top National Security Resource for US. Pierluigi is a member of the "The Hacker News" team and he is a writer for some major publications in the field such as Cyber War Zone, ICTTF, Infosec Island, Infosec Institute, The Hacker News Magazine and for many other Security magazines. Author of the Books "The Deep Dark Web" and “Digital Virtual Currency and Bitcoin”.