Yahoo! Infected With Malicious Ads, Targets Great Britain, Romania, France and Pakistan

Fox-IT, a security product and service company in the Netherlands, stated that computers visiting Yahoo on January 3 were infected with malware from the Yahoo ad network ads.yahoo.com. Fresh analysis indicates that Yahoo has a handle on the problem and that the attack traffic has decreased substantially. The ads were in the form of IFRAMEs hosted on the following domains:

• blistartoncom.org (192.133.137.59), registered on 1 Jan 2014
• slaptonitkons.net (192.133.137.100), registered on 1 Jan 2014
• original-filmsonline.com (192.133.137.63)
• funnyboobsonline.org (192.133.137.247)
• yagerass.org (192.133.137.56)

The ads redirected users to a site using the Magnitude exploit kit, all of which appears to come from a single IP address in the Netherlands, which is perhaps related to why Fox-IT’s customers were affected so quickly. The exploit kit at the site exploits vulnerabilities in Java on the client to install a variety of malware such as ZeuS, Andromeda, Dorkbot/Ngrbot, Advertisement clicking malware, Tinba/Zusy and Necurs.

Fox-IT’s research shows the 83% of the attacks targeted Romania, Great Britain, France and Pakistan. There were none attacks however in the US. They speculate that the distribution was made through a function of the Yahoo! ads which was affected by the malware. Fox-IT recommends blocking the 192.133.137/24 and 193.169.245/24 subnets until further information is available.

Thank you ZDNet for providing us with this information