Yahoo! Infected With Malicious Ads, Targets Great Britain, Romania, France and Pakistan
Gabriel Roşu / 3 years ago
Fox-IT, a security product and service company in the Netherlands, stated that computers visiting Yahoo on January 3 were infected with malware from the Yahoo ad network ads.yahoo.com. Fresh analysis indicates that Yahoo has a handle on the problem and that the attack traffic has decreased substantially. The ads were in the form of IFRAMEs hosted on the following domains:
- blistartoncom.org (188.8.131.52), registered on 1 Jan 2014
- slaptonitkons.net (184.108.40.206), registered on 1 Jan 2014
- original-filmsonline.com (220.127.116.11)
- funnyboobsonline.org (18.104.22.168)
- yagerass.org (22.214.171.124)
The ads redirected users to a site using the Magnitude exploit kit, all of which appears to come from a single IP address in the Netherlands, which is perhaps related to why Fox-IT’s customers were affected so quickly. The exploit kit at the site exploits vulnerabilities in Java on the client to install a variety of malware such as ZeuS, Andromeda, Dorkbot/Ngrbot, Advertisement clicking malware, Tinba/Zusy and Necurs.
Fox-IT’s research shows the 83% of the attacks targeted Romania, Great Britain, France and Pakistan. There were none attacks however in the US. They speculate that the distribution was made through a function of the Yahoo! ads which was affected by the malware. Fox-IT recommends blocking the 192.133.137/24 and 193.169.245/24 subnets until further information is available.
Thank you ZDNet for providing us with this information