Skip to main content

Corrupted Yahoo ads infect thousands of users with malware

Thousands of users who visited Yahoo's Web site over the past week were infected with malware, researchers have found. The malware was delivered via malicious advertisements that appeared on the site.

Yahoo confirmed the infection, but said it has already been removed. "At Yahoo, we take the safety and privacy of our users seriously. On Friday, January 3 on our European sites, we served some advertisements that did not meet our editorial guidelines, specifically they spread malware. We promptly removed these advertisements. Users in North America, Asia Pacific and Latin America were not served these advertisements and were not affected. Additionally, users using Macs and mobile devices were not affected," the company said in an email.

Attackers had inserted malvertisements, or malicious advertisements, into the servers used by, Fox-IT, a Dutch security firm, wrote in a blog post. These ads redirected users to a page hosting the "Magnitude" exploit kit, which targets various Java vulnerabilities. The exploit kit installed "a host of different malware" on to vulnerable computers, such as the Zeus Trojan, Andromeda, Dorkbot/Ngrbot, ad-clicking malware, Tinba/Zusy and Necurs, Fox-IT said. The researchers believe the servers have been showing malvertisements since 30 December, but did not rule out the possibility that the attacks were occurring even earlier.

"It is unclear which specific group is behind this attack, but the attackers are clearly financially motivated," Fox IT said. The attackers may be selling the ability to control these infected machines to other cyber-criminals, perhaps as part of a botnet.

Stealthy AttackMalvertiserments are especially sneaky because users get infected just by loading a website. The users don't need to do anything—such as clicking on a link—to get infected. These malicious ads have been popping up on legitimate sites over the past few years. In 2011, Spotify users were hit by malicious ads served up by a third-party ad network, as were visitors to the London Stock Exchange's website. In fact, users are 182 times more like to be infected with malware from these ads than they are from adult content sites, Cisco found in a survey last year.

"Long gone are the days when you had to be browsing shady areas of the net to stumble across something malicious," wrote Graham Cluley, a security researcher.

On Friday, the malware was being delivered to approximately 300,000 users per hour, which would mean about 27,000 users per hour were actually being infected, Fox-IT estimated. The countries with the most number of affected users were Romania, the United Kingdom, and France.

While the Fox-IT report focused on Yahoo, Graham Cluley noted that users who visited other sites using Yahoo's ad network may also have been affected.

It's not known at this point how the malicious ads made it into the ad network. While it's possible the attackers may have compromised the ad server to load the malicious files, it's also possible the attackers submitted the ad the normal way and tricked Yahoo into thinking it was an ordinary ad. That doesn't necessarily mean Yahoo wasn't doing its job — the submitted ad could have been harmless. The attackers could have swapped around the code after the ad was accepted.

Since malvertisements are tricky to defend against, it is even more important that users run updated software on their computers and keep their security software current. The exploit kit also targeted Java. Users should either uninstall Java, disable it entirely in the browser, or take other steps to protect themselves from attacks against Java.

"If you needed another reason to disable Java in your computer's browser, then there you have it," Cluley said.

Elsewhere Yahoo are taking measures to protect its users' data, having announced in October 2013 that Yahoo Mail will begin encrypting emails this month.