The Yahoo.com domain served malicious advertisements which redirected users to the “Magnitude” exploit kit.
According to a blog by Fox-IT, five iframes were infected which redirected users to websites that were served by an IP address in the Netherlands. This exploit kit exploits vulnerabilities in Java and can install different malware including ZeuS and Andromeda.
Fox-IT claimed that its examination of a traffic sample found that this mainly affected users in Europe, specifically Romania (accounted for 24 per cent of infections), the UK (23 per cent of infections) and France (20 per cent of infections). Fox-IT also said that, with a typical infection rate of nine per cent, this would result in around 7,000 infections every hour.
“At this time it’s unclear why those countries are most affected. It’s, likely due to the configuration of the malicious advertisements on Yahoo,” Fox-IT said. It reported on Friday 3rd January that traffic to the exploit kit had significantly decreased, implying that Yahoo was taking steps to fix the problem.
A Yahoo statement said it was aware of the issue. “At Yahoo, we take the safety and privacy of our users seriously. We recently identified an ad designed to spread malware to some of our users. We immediately removed it and will continue to monitor and block any ads being used for this activity.”
Amichai Shulman, CTO of Imperva, said that the problem in this case was the advertising platform, as any platform used for targeted advertising is equally effective for targeted malvertising.
“Regardless of the specific ad platform, they create an opportunity for an attacker to target specific geographies, specific crowds (programmers, travellers to specific destinations) and even specific people. For an ad platform it is virtually impossible to guarantee 100 per cent malware-free ads.
“Ad platforms should keep doing what they do (guarantee 100 per cent effort, not 100 per cent results) as consumers can really do nothing but to keep their computers as patched as possible. Enterprises must accept infection of devices is inevitable. The outcome of such an infection with respect to enterprise data can be mitigated through close monitoring and protection of the data sources.”
