Since the December 30th Yahoo website is proposing a malicious ad that was serving a malware, the discovery was made by Dutch security firm Fox IT.
Visitors to the Yahoo website see the advertisements served up by ads.yahoo.com, but unfortunately hackers have exploitined it to serve malicious contents.
It is still unknown who is behind the attack, but the hackers are clearly financially motivated, according other investigator probably they are offering services to other criminal gangs selling victim’s credential on the black market or renting infected host controlled by them.
Of course the impact of malware-based attacks via a so popular portal is considerable serious, Fox IT estimated that the website used for the attack was receiving nearly 300,000 visits per hour, visitors most affected are located in Romania, Great Britain and France.
“Given a typical infection rate of 9% this would result in around 27.000 infections every hour.”
The post on Fox IT reports that “Those malicious advertisements are iframes hosted on the following domains”:
Upon visiting the malicious advertisements users get redirected to a “Magnitude” exploit kit via a HTTP redirect to seemingly random subdomains of:
“All those domains are served from a single IP address: 220.127.116.11. This IP-address appears to be hosted in the Netherlands.” states Fox IT.
Magnitude kit exploits vulnerabilities in Java and serve on the victim’s machine any kind of malware including:
Yahoo is aware of the ongoing malware attack and is taking necessary countermeasures to stop it in fact traffic to the server hosting the malicious exploit is decreasing since Friday evening. The hope is that Yahoo in the future will be able to protect the entire data flaw also related to third parties sites that propose ads through its channel. Meantime users need to keep their systems updated and install defense mechanisms, only following this couple of suggestions they could reduce the risk to be infected by a malware.
(Security Affairs – malware, Yahoo ads)