Yahoo! Visitors Hit With Malware Ads
Security firm Fox IT, which operates Security Operations Center service ProtACT reported that for a period starting on December 30th (possibly earlier) and stretching to around January 3rd (when the malicious traffic started to die off), visitors to Yahoo.com were served malicious ads that redirected them to domains that pointed to a single IP address in the Netherlands where they were hit with the Magnitude exploit kit.
Fox IT's estimate of infections per country from Yahoo.com malicious ads
The kit exploits Java vulnerabilities and installed malware including ZeuS, Andromeda, Dorkbot/Ngrbot, Necurs, and more. Based on an estimated number of site visitors (around 300,000 per hour) and assuming an infection rate of 9%, Fox IT figures that there were about 27,000 infections per hour for the better part of a week.
Fox IT said that Yahoo is aware of the situation and is looking into it, and the company has stated that it has found the malicious ad and removed it.
Although it’s never acceptable to allow your users to be hit with malware, these things do happen, and sometimes all a company can do is scramble the jets as it were to fix the problem as quickly as possible, which it seems that Yahoo has done. However, it’s especially bad timing, as many users are already frustrated with the glitchy launch of the new Yahoo Mail. Yahoo doesn’t need to give users any other reasons to bail on the site.