Two separate Internet security firms have reported that over the past several days, Yahoo’s advertising servers have been distributing malware to visitors to Yahoo! properties, and other sites that have the Yahoo! ads being displayed. It is believed that the malware was put onto the advertising servers by malicious parties who found a way to hijack the ad network.
A blog post written by Fox IT, a respected security firm in the Netherlands, said, “Clients visiting yahoo.com received advertisements served by ads.yahoo.com. Some of the advertisements are malicious.” It went on to say that the Yahoo servers send the users an exploit kit which, “exploits vulnerabilities in Java and installs a host of different malware.”
At this point it is not clear whether Yahoo’s advertising servers were hacked, or if an advertisement was written with the malware, and then submitted via the normal channels, and happened to make it past Yahoo’s screening process.
According to the reports, visitors to Yahoo properties have been getting infected with this malware since at least December 30th. When it was discovered, Fox IT says it was delivering the exploit kit to around 300,000 users per hour. Due to anti-malware software and other factors, only about 9% of those 300,000 actually got infected by the malware. This is still 27,000 users per hour, which is a significant rate of infection.
The other security firm that confirmed the malware was Surfright, also based in the Netherlands. Surfright is a maker of anti-virus software.
A Yahoo spokeswoman said in an email to the Washington Post, “At Yahoo, we take the safety and privacy of our users seriously. We recently identified an ad designed to spread malware to some of our users. We immediately removed it and will continue to monitor and block any ads being used for this activity.” Yahoo also confirmed that this attack did not affect users in North America, or anyone who used mobile devices or MAC computers.
The investigation is still undoubtedly ongoing by Yahoo’s security team. Anyone who visits any Yahoo properties should run the anti-malware software of their choice to confirm they have not been infected.