Attackers serve up malware to Yahoo visitors at rate of 300,000 per hour
Yahoo's advertising network was recently hacked, and visitors were redirected to a malicious website at a rate of 300,000 per hour, according to Dutch security firm Fox-IT.
Fox-IT says its clients who visited Yahoo were infected by malicious ads, which redirected them to a "Magnitude" exploit kit. The kit exploits security holes in Java and installs a range of malware, including the financial data stealing ZeuS trojan.
"It is unclear which specific group is behind this attack, but the attackers are clearly financially motivated and seem to offer services to other actors," Fox-IT explains in a blog.
The security firm was able to track the initial infections to Dec. 30, but the infections could have started earlier.
Countries hardest hit by the Yahoo attack are Romania, the United Kingdom and France.
A Yahoo spokeswoman tells the Washington Post that the infections appear to be focused in Europe, with North American users not being affected.
In a Jan. 4 email to the newspaper, the spokeswoman says that Yahoo "identified an ad designed to spread malware to some of our users. We immediately removed it and will continue to monitor and block any ads being used for this activity."
In comments provided to FierceITSecurity, Oscar Marquez, chief product officer at security firm Total Defense, observes that the attack vector used was cross-site scripting.
The Yahoo ads "had an i-frame in them that was directed to infected files on a server not owned by Yahoo ... Simply visiting a page with an infected ad could have resulted in infection. The infected files used were previously known forms of malware, so any up-to-date, endpoint protection should have detected and prevented the infection."
Marc Maiffret, chief technology officer at BeyondTrust, comments: "This is yet another good example of companies needing to do the most basic security precautions around identifying vulnerabilities, patching their systems and reducing privileges."