Yahoo.com Visitors Hit by Malware Attack

Two Internet security companies have stated that Yahoo's advertising and marketing servers were spreading malware to several a huge numbers of users during the last few days. The attack is the work of malicious people whom have stolen Yahoo's advertising network for their ends.

Fox IT, a security company found in the Netherlands, published a blog post on Friday explaining the problem. "Clients browsing Yahoo.com received advertisements served by ads.yahoo.com. A few of the advertisements be malicious," the company reported. Rather than providing ordinary advertisements, the Yahoo's servers reportedly forward users an "exploit kit" that "exploits vulnerabilities in Java and installs a host of various malware."

Ashkan Soltani, a security researcher and Washington Post contributor, alerted me to the issue. Often, he says, these attacks are "the results of hacking an existing advertisement network. However, there is another possibility," he says. The offenders may have merely sent the harmful software as ordinary advertisements, coming past Yahoo's system for removing malicious submissions.


Fox IT says Yahoo users were already being infected since about Dec. 30. At the time it discovered the issue on Friday, the company announces, malicious payloads are being sent to around 300,000 users an hour. The company presumptions that around 9 percent of 27,000 users an hour are being infected. More recently, the firm says, infections have tapered off, perhaps because of hard work by Yahoo's security team.

"It is unclear which particular group is behind this attack, however the attackers be clearly financially motivated," the company writes. Fox IT implies that whoever is behind the attack may be selling control of the victims' computers to other online criminals.

Another security researcher based in the Netherlands, Mark Loman, has confirmed seeing the malware. His company, Surfright, makes antivirus software.

The fact the malware targeted flaws in the Java programming environment is an important reminder the software has become a security risk. When it had been created nearly 20 years ago, the Java programming language was known as a way to make websites more interactive. However, it has been largely superseded by technologies like Flash and JavaScript.

As Java's Web plug-in has declined in popularity among legitimate Web developers, its security flaws became a juicy target for hackers. Some browser developers were going towards blocking the technology outright. In addition, security experts suggest that in case your browser supports it, you should disable Java (but not JavaScript, a separate technology) being a precaution.

Update: "At Yahoo, we take the safety and privacy of our users seriously," a Yahoo spokesperson said in a Saturday email to the Washington Post. "We lately identified an advertisement designed to spread malware to some of our users. We immediately removed it and will continue to monitor and prevent any advertisements being used for this activity."

Update (January 5): Yahoo concluded that Mac and Mobile users were not affected by the attack, as well as users from North America.