Yahoo! malware ad attack was worse than first thought, users outside Europe impacted

Yahoo! has confirmed a recent incident, in which malware was served through the company’s ad network, originally thought to have been confined to Europe, also affected users outside the continent.

The exploit was originally discovered by cybersecurity firm Fox-IT, which said in a blog post it had detected malicious advertisements served from Yahoo! servers redirecting users to websites in which their computers were loaded with malware:

“Clients visiting yahoo.com received advertisements served by ads.yahoo.com. Some of the advertisements are malicious… Upon visiting the malicious advertisements users get redirected to a ‘Magnitude’ exploit kit via a HTTP redirect to seemingly random subdomains.”

“The investigation showed that the earliest signs of infection were at December 30, 2013. Other reports suggest it might have started even earlier.

“It is unclear which specific group is behind this attack, but the attackers are clearly financially motivated and seem to offer services to other actors.”

In its initial response on January 5, Yahoo! issued a statement acknowledging the problem, stating at the time it believed the issue was limited to users visiting its websites from Europe.

“From December 31 to January 3 on our European sites, we served some advertisements that did not meet our editorial guidelines – specifically, they spread malware. On January 3, we removed these advertisements from our European sites. Users in North America, Asia Pacific and Latin America were not served these advertisements and were not affected,” the company stated.

Yahoo! also stated that people using Macs or mobile devices were also not affected by the attack.

However, the tech giant has since issued a follow-up statement clarifying the incident began earlier than it first believed – from December 27 – and that users outside Europe were impacted.

“Upon further investigation of the recent ad malware incident, we now know that users may have been impacted between December 27, 2013 – January 3, 2014. While the bulk of those exposed to the malicious advertisements were on European sites, a small fraction of users outside of this region may have been impacted as well.

The company says the attack took place because a single account was compromised, with that account subsequently shut down and that relevant law enforcement authorities have been notified.

Yahoo! is advising users who are concerned about the attack to ensure they have the latest versions of Java and Adobe Flash installed on their computer and are up-to-date with Windows security patches.

COMMENTS