Thousands of Yahoo users hit with Malware Attack

Yahoo servers have been hit by malware which was transferred to thousands of users of Yahoo service. Yahoo has already blocked the malware code, but thousands of website visitors have been hit by the code which infected the advertising network of the company. If you clicked an ad on one of Yahoo!’s websites in the last few days, you may be at risk of having your computer infected by malware. 

Given a typical infection rate of 9% this would result in around 27,000 infections every hour. Based on the same sample, the countries most affected by the exploit kit are Romania, Britain, and France. At this time it’s unclear why those countries are most affected, it is likely due to the configuration of the malicious advertisements on Yahoo, - Fox IT, in a blog post.

On the technical side, the malware enters the computer once code on the website exploits a vulnerability in Java. Even though Fox IT has noted that traffic to the infected Netherlands domains is slowing and is much lower than a couple of days ago, there is still a large amount of people who may now have infected computers.

The ads infected with malware were served directly from ads.yahoo.com, meaning that there is a potential issue with Yahoo’s security or ad screening process.  Fox IT notes that the infected ads have been popping up on Yahoo since December 30, when the first set of victims were seen.

The following websites were advertised via spam code which was shown in iframe of the yahoo.com advertisements. Iframe loads a web page of any website within a web page. The aim of hackers behind the attack has not been established by Fox IT believes that the attack was motivated by financial gains.

• blistartoncom.org (192.133.137.59), registered on 1 Jan 2014
• slaptonitkons.net (192.133.137.100), registered on 1 Jan 2014
• original-filmsonline.com (192.133.137.63)
• funnyboobsonline.org (192.133.137.247)
• yagerass.org (192.133.137.56)

From The Washington Post:

Ashkan Soltani, a security researcher and Washington Post contributor, alerted me to the issue. Often, he says, such attacks are "the result of hacking an existing ad network. But there's another possibility, he says. The culprits may have simply submitted the malicious software as ordinary ads, sneaking past Yahoo's system for filtering out malicious submissions.

The fact that the malware targeted flaws in the Java programming environment is an important reminder that the software has become a security menace. When it was created almost two decades ago, the Java programming language was hailed as a way to make Web sites more interactive. But it has been largely superseded for this purpose by technologies like Flash and JavaScript.