Yahoo.com visitors received an unexpected surprise beginning on New Year's Eve: advertisements that targeted their systems with malware.

The malicious advertising campaign was first spotted on Friday by Dutch information security consulting firm Fox-IT, which immediately warned Yahoo. Fox-IT said in a blog post that the attack advertisements -- which were being served by ads.yahoo.com -- used iFrames to hide malicious scripts. If a user clicked on the advertisement, they were redirected to a site that hosted the "Magnitude" exploit kit, which then attempted to exploit any Java vulnerabilities present on their system to install malware.

"The attackers are clearly financially motivated and seem to offer services to other actors," said Fox-IT, noting that the exploit kit behind the attacks dropped six different types of malware, including the Zeus banking Trojan, Dorkbot, and a click-fraud Trojan. The greatest number of users targeted by the malicious advertisements were in Romania (24%), the United Kingdom (23%), and France (20%), according to Fox-IT.

By late Friday, Fox-IT reported that "traffic to the exploit kit has significantly decreased," meaning that whatever steps Yahoo was taking to block the attack appeared to be working.

[For more on recent security threats, see Snapchat Breach: What's Next.]

How long did the attacks last? Fox-IT said the attacks appeared to have begun on Monday, Dec. 30. Yahoo initially disagreed, saying in a statement on Friday, Jan. 3, that the attacks had started that day.

But by Monday, the company had revised its assessment. "Upon further investigation, we discovered that the advertisements were served between December 31 [to] January 3 -- not just on January 3," a company spokeswoman said via email.

Yahoo said it acted quickly after learning of the attacks, and said they appeared to target only European users. "These advertisements were taken down on Friday, January 3," the spokeswoman said. "Users in North America, Asia Pacific, and Latin America were not served these advertisements, and were not affected. Additionally, users using Macs and mobile devices were also not affected."

"We will continue to monitor and block any advertisements being used for this activity," she added. "We will be posting more information for our users shortly."

How many Yahoo.com visitors may have been exploited by the attacks? By Fox-IT's reckoning, based on the sample traffic it recorded -- about 300,000 visitors to the malicious site per hour -- and malware being dropped onto an average of 9% of those systems, it's likely that about 27,000 systems were infected every hour. Assuming that the attack campaign lasted for three days, that means 2 million Yahoo users may have been infected by malware via the attack campaign.

Who launched the attacks? That's not clear, although the exploit kit used by attackers "bears similarities to the one used in the brief infection of PHP.net in October 2013," said Fox-IT. In that attack, two of the servers running the PHP.net site were hacked and used to serve JavaScript malware.

This isn't the first information security or infrastructure snafu to affect Yahoo users in recent months. In September, the company introduced a "Not My Email" button after users of recycled account names reported that they'd received sensitive personal information intended for former accountholders.

Last month, meanwhile, some users of Yahoo Mail -- which CEO Marissa Mayer has made a priority of overhauling, and which was redesigned in June 2013 -- were unable to access their webmail for up to three days. Yahoo's senior VP of communications products, Jeff Bonforte, apologized for the email outage, which he said resulted from "a hardware problem in one of our mail data centers," and which had been "harder to fix than we originally expected."

Mathew Schwartz is a freelance writer, editor, and photographer, as well the InformationWeek information security reporter.

Knowing your enemy is the first step in guarding against him. In this Dark Reading report, Integrating Vulnerability Management Into The Application Development Process, we examine the world of cybercriminals -- including their motives, resources and processes -- and recommend what enterprises should do to keep their data and computing systems safe in the face of an ever-growing and ever-more-sophisticated threat. (Free registration required.)