Yahoo.com ads expose thousands to malware

Hundreds of thousands of visitors to the Yahoo.com website may have encountered malware from the website's advertising servers since December 30, according to security experts.

Detailing its findings in a blog post, Netherlands-based research outfit Fox-IT confirmed that it had “detected and investigated the infection of clients after they visited yahoo.com”.

The firm said that visitors who saw the malicious ads were automatically directed to the “Magnitude” exploit kit which would exploit numerous vulnerabilities in Java to install a host of different malware, such as Zeus, Andromeda, Dorkbot, Necurs and ad-click malware.

As a result, Fox-IT estimates that the website was visited 300,000 times each hour and adds that the infection rate could be as high as 27,000 infections over the same time-frame. The company says that Romania, Britain and France were the most affected countries, with Yahoo later commenting that the issue had not impacted Mac and mobile users in North America, Asia Pacific and Latin America.

The one piece of good news here is that Yahoo appears to have patched this vulnerability as the infection rate has since dropped significantly since the news emerged.

Mark Loman, a researcher for Surfright, confirmed on Twitter that he had also seen the malware. A number of other security analysts have since urged users to disable Java (not JavaScript, which is a separate program) as a precaution for browsers that still support the ageing software.

“At Yahoo, we take the safety and privacy of our users seriously,” a Yahoo spokesperson said in an email to the Washington Post.

“We recently identified an ad designed to spread malware to some of our users. We immediately removed it and will continue to monitor and block any ads being used for this activity.”

Yahoo is said to be the fourth most popular website on the Internet, according to Alexa estimates.

“It's worth remembering that malicious adverts can strike you through completely legitimate websites,” wrote security expert Graham Cluley on a blog post. “Long gone are the days when you had to be browsing shady areas of the net to stumble across something malicious.”

“Yahoo right now should be taking a long hard look at how it could have better protected its advertising stream, making it harder for online criminals to ride on the back of its ad network in future.”

When speaking to SCMagazineUK.com, Quocirca analyst Bob Tarzey said that while the event was bad news for Yahoo and, specifically, the reputation of online advertising, it may have even bigger consequences for Oracle's Java.

“There have been a lot a questions raised about Java security over the last 12 months and Oracle's failure to address the issues effectively,” said Tarzey. 

“In particular the controls around the signing of Java applets, which should ensure integrity, have broken down, enabling rogue applets that would normally be blocked to gain access to system resources to obtain them. This is causing many to move away from Java to other tools such as HTML5.”

Peter Armstrong, director of cyber security at Thales UK, told SCMagazineUK.com that the attack is a lesson to Yahoo - and other web marketers - that they need to monitor their services for exploit and malware delivery.

"Any large organisation that is exploiting large web-marketing or advertising capabilities will need to ensure they more stringently command, control and monitor their services for exploit and malware delivery," said Armstrong. "Given the nature of the services they offer, large organisations will always be targeted as a means of infecting or exploiting large numbers as quickly as possible.