Attacks/Breaches
1/6/2014
12:04 PM
Connect Directly
RSS
E-Mail
50%
50%

Yahoo Ads Hack Spreads Malware

Millions of users exposed to drive-by malware attacks that targeted Java bugs to install six types of malicious code.

Yahoo.com visitors received an unexpected surprise beginning on New Year's Eve: advertisements that targeted their systems with malware.

The malicious advertising campaign was first spotted on Friday by Dutch information security consulting firm Fox-IT, which immediately warned Yahoo. Fox-IT said in a blog post that the attack advertisements -- which were being served by ads.yahoo.com -- used iFrames to hide malicious scripts. If a user clicked on the advertisement, they were redirected to a site that hosted the "Magnitude" exploit kit, which then attempted to exploit any Java vulnerabilities present on their system to install malware.

"The attackers are clearly financially motivated and seem to offer services to other actors," said Fox-IT, noting that the exploit kit behind the attacks dropped six different types of malware, including the Zeus banking Trojan, Dorkbot, and a click-fraud Trojan. The greatest number of users targeted by the malicious advertisements were in Romania (24%), the United Kingdom (23%), and France (20%), according to Fox-IT.

By late Friday, Fox-IT reported that "traffic to the exploit kit has significantly decreased," meaning that whatever steps Yahoo was taking to block the attack appeared to be working.

[For more on recent security threats, see Snapchat Breach: What's Next.]

How long did the attacks last? Fox-IT said the attacks appeared to have begun on Monday, Dec. 30. Yahoo initially disagreed, saying in a statement on Friday, Jan. 3, that the attacks had started that day.

But by Monday, the company had revised its assessment. "Upon further investigation, we discovered that the advertisements were served between December 31 [to] January 3 -- not just on January 3," a company spokeswoman said via email.

Yahoo said it acted quickly after learning of the attacks, and said they appeared to target only European users. "These advertisements were taken down on Friday, January 3," the spokeswoman said. "Users in North America, Asia Pacific, and Latin America were not served these advertisements, and were not affected. Additionally, users using Macs and mobile devices were also not affected."

"We will continue to monitor and block any advertisements being used for this activity," she added. "We will be posting more information for our users shortly."

How many Yahoo.com visitors may have been exploited by the attacks? By Fox-IT's reckoning, based on the sample traffic it recorded -- about 300,000 visitors to the malicious site per hour -- and malware being dropped onto an average of 9% of those systems, it's likely that about 27,000 systems were infected every hour. Assuming that the attack campaign lasted for three days, that means 2 million Yahoo users may have been infected by malware via the attack campaign.

Who launched the attacks? That's not clear, although the exploit kit used by attackers "bears similarities to the one used in the brief infection of PHP.net in October 2013," said Fox-IT. In that attack, two of the servers running the PHP.net site were hacked and used to serve JavaScript malware.

This isn't the first information security or infrastructure snafu to affect Yahoo users in recent months. In September, the company introduced a "Not My Email" button after users of recycled account names reported that they'd received sensitive personal information intended for former accountholders.

Last month, meanwhile, some users of Yahoo Mail -- which CEO Marissa Mayer has made a priority of overhauling, and which was redesigned in June 2013 -- were unable to access their webmail for up to three days. Yahoo's senior VP of communications products, Jeff Bonforte, apologized for the email outage, which he said resulted from "a hardware problem in one of our mail data centers," and which had been "harder to fix than we originally expected."

Mathew Schwartz is a freelance writer, editor, and photographer, as well the InformationWeek information security reporter.

Knowing your enemy is the first step in guarding against him. In this Dark Reading report, Integrating Vulnerability Management Into The Application Development Process, we examine the world of cybercriminals -- including their motives, resources and processes -- and recommend what enterprises should do to keep their data and computing systems safe in the face of an ever-growing and ever-more-sophisticated threat. (Free registration required.)

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
Li Tan
50%
50%
Li Tan,
User Rank: Apprentice
1/8/2014 | 10:57:37 PM
Re: Another Yahoo problem
That's also the reason why I do not like online Ads - the potential problem of having virus/malware, etc. embedded. Yahoo is good at putting out fire but it cannot survive in this way. Some concrete action plans are needed to prevent such kind of disaster happening from the very beginning. 
Shane M. O'Neill
100%
0%
Shane M. O'Neill,
User Rank: Apprentice
1/7/2014 | 9:50:11 AM
Re: Another Yahoo problem
Yahoo may work quickly to quash email outages and malware-infested ads when they happen, and these snafus may be just part of doing business, but the past month has been a PR disaster for the company. I don't think it's enough to do serious damage to the brand; Yahoo still has millions of content users. But the company needs to shake the perception that it is always putting out fires.
Kristin Burnham
50%
50%
Kristin Burnham,
User Rank: Apprentice
1/7/2014 | 8:50:27 AM
Re: Another Yahoo problem
Good insight, Jason. Dedicated Yahoo users -- similar to dedicated Facebook users -- seem to roll with the punches when things like this occur.
SaneIT
100%
0%
SaneIT,
User Rank: Apprentice
1/7/2014 | 7:45:40 AM
Re: Another Yahoo problem
This is good insight.  The way advertising has always worked on the web is a bit different than say print media.  It is much harder to keep tabs on what is behind the curtain with ads delivered on the web so it's hard to hold Yahoo completely responsible for stopping the ads.  Now once they learned that there was a problem then yes the burden of removing the ads fell on them but it sounds like they acted quickly.  If we're going to hold every web site that has ads responsible for the content of those ads then it's time to start shutting everyone down because I've seen those scammy "lose 10 pounds in a week" ads just about every where.
moarsauce123
50%
50%
moarsauce123,
User Rank: Apprentice
1/7/2014 | 7:38:22 AM
Re: Another Yahoo problem
No, it fits exactly into the perception I have from Yahoo. They want to play with the big kids, but lack the skill to do so. Yahoo is one of these companies where I wonder how they managed to stick around despite their utter irrelevance.
jasonscott
100%
0%
jasonscott,
User Rank: Apprentice
1/6/2014 | 9:21:39 PM
Re: Another Yahoo problem
Having spent 10 years working for a regional news & information site, I have first-hand knowledge of how hard it is to prevent malicious ads from being delivered to end-users. Many larger advertisers supply code that communicates with their servers (or those of some third party) to select an ad based on various criteria ... so the code that was provided to Yahoo! may have appeared fine ... but the ad that was dynamically returned contained malicious code. Sometimes it's even more convoluted than that.

So this issue doesn't affect my concerns about Yahoo!.

Nor does it trouble me that Yahoo! is replacing the rotting foundations of some of its systems. That's smart, and hopefully they're implementing new foundations upon which they'll launch new services, soon.

These days, it's less likely that Yahoo! or anyone else will introduce some revolutionary new service. Yahoo! has enough of a user base that if they can repair things and have solid, reliable services, they'll do fine. In fact, if they can offer a good alternative to the questionably-invasive services offered by certain other providers, they could very well pick up a bunch of users.

Personally, I have a Yahoo! account that I use daily, and have for about 7 years now, and it works well for me. (I was unaffected by the recent outage, btw ... that would have bothered me somewhat, but mail to the account isn't usually critical/time-sensitive.)

I will say that the recycled email account usernames was just a poor business decision on their part ... or at the very least poorly carried out. But, again, it didn't affect me, since my account has been in use for years.
Thomas Claburn
50%
50%
Thomas Claburn,
User Rank: Moderator
1/6/2014 | 3:52:34 PM
Re: Another Yahoo problem
I keep hoping Yahoo will do something that demonstrates it has put its past behind it. But most of the company's recent moves seem to be geared at replacing rotting foundations. I hope 2014 brings some initiatives that show leadership rather than just acknowledgement of existing gaps.
Kristin Burnham
50%
50%
Kristin Burnham,
User Rank: Apprentice
1/6/2014 | 2:01:25 PM
Another Yahoo problem
Yahoo has made some significant strides with redesigns, acquisitions and new features in the last year, but it has also suffered some major problems: the recycled email debacle being one of them, and now this. Readers: Does this latest problem impact your perception of the company?
Register for Dark Reading Newsletters
White Papers
Flash Poll
Current Issue
Cartoon
Video
Slideshows
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2014-0640
Published: 2014-08-20
EMC RSA Archer GRC Platform 5.x before 5.5 SP1 allows remote authenticated users to bypass intended restrictions on resource access via unspecified vectors.

CVE-2014-0641
Published: 2014-08-20
Cross-site request forgery (CSRF) vulnerability in EMC RSA Archer GRC Platform 5.x before 5.5 SP1 allows remote attackers to hijack the authentication of arbitrary users.

CVE-2014-2505
Published: 2014-08-20
EMC RSA Archer GRC Platform 5.x before 5.5 SP1 allows remote attackers to trigger the download of arbitrary code, and consequently change the product's functionality, via unspecified vectors.

CVE-2014-2511
Published: 2014-08-20
Multiple cross-site scripting (XSS) vulnerabilities in EMC Documentum WebTop before 6.7 SP1 P28 and 6.7 SP2 before P14 allow remote attackers to inject arbitrary web script or HTML via the (1) startat or (2) entryId parameter.

CVE-2014-2515
Published: 2014-08-20
EMC Documentum D2 3.1 before P24, 3.1SP1 before P02, 4.0 before P11, 4.1 before P16, and 4.2 before P05 does not properly restrict tickets provided by D2GetAdminTicketMethod and D2RefreshCacheMethod, which allows remote authenticated users to gain privileges via a request for a superuser ticket.

Best of the Web
Dark Reading Radio
Archived Dark Reading Radio
Three interviews on critical embedded systems and security, recorded at Black Hat 2014 in Las Vegas.