January 6, 2014
Thousands Of European Yahoo Users Exposed To Malware Since December 30
redOrbit Staff & Wire Reports - Your Universe OnlineWashington Post blogger Timothy B. Lee, two Netherlands-based computer security firms – Fox-IT and Surfright – have confirmed the presence of the malicious code, which “appears to be the work of malicious parties who have hijacked Yahoo's advertising network for their own ends.”
Late Sunday evening, Yahoo confirmed the presence of malware on ads to its European websites, but stated that the advertisements responsible had been removed. The company also emphasized that users in North American, Asian Pacific and Latin America, as well as those viewing Yahoo on a Mac or a mobile device, were not affected.
On January 3, Fox-IT explained that the malware had been detected on the computers of clients that had visited Yahoo.com and received malicious advertisements originating from several different domains. The ads redirected them through a “Magnitude” exploit via an HTTP redirect to a series of apparently random subdomains, all originating from the same IP (220.127.116.11).
Furthermore, the security firm said that the exploit kit takes advantage of vulnerabilities in Java, executing several different types of malware, including ZeuS, Andromeda, Dorkbot/Ngrbot, Tinba/Zusy and Necurs. Fox IT’s investigation showed that December 30 saw the first recorded signs of infection, though the company added that other reports have suggested that the exploit could have started earlier.
“Based on a sample of traffic we estimate the number of visits to the malicious site to be around 300k/hr. Given a typical infection rate of 9 percent this would result in around 27.000 infections every hour,” Fox-IT said. “Based on the same sample, the countries most affected by the exploit kit are Romania, Great Britain and France,” and that those nations were most likely hardest hit because of “the configuration of the malicious advertisements on Yahoo.”
Security researcher and Washington Post contributor Ashkan Soltani told Lee that these types of attacks are usually the result of hackers infiltrating an existing advertising network. However, he did note that there is another possibility – those responsible for the exploit might simply have submitted the malicious software as advertisements, essentially sneaking past the anti-malware security features of Yahoo’s ad department.
“At Yahoo, we take the safety and privacy of our users seriously. We recently identified an ad designed to spread malware to some of our users. We immediately removed it and will continue to monitor and block any ads being used for this activity,” a Yahoo spokesperson told Lee in a Saturday email.
“It is unclear which specific group is behind this attack, but the attackers are clearly financially motivated and seem to offer services to other actors,” Fox-IT added. The security firm is advising concerned users to block access to the two IP addresses (the 192.133.137/24 subnet and the 193.169.245/24 subnet) associated with the exploit kit.