last couple of days , a good percentage of users visiting yahoo.com were infected by driveby malware. Malacious ads were served from ads.yahoo.com and the first incident was report on December 30th 2013 and Yahoo has not been able to taken them down from their own network.
So how does all this happen ? When a user visits Yahoo.com from his browser, the malware frames yahoo ad network and tries to infect users PC upon loading of the page. The malware (attacker ) tries to inject itself to any vulnerable software available , typically include java, adobe flash or windows vulnerability. Once the malware loads itself successfully infecting the PC, it becomes the part of the huge botnet eco system. The infected system may send users hotmail, gmail or bank logins every 20 minutes to a unknown server. In the past infected computers showed all kinds of adware on the system but nowadays the attacks are so much sophisticated that the user may not see anything suspicious at all in his browsing experience.
As reported by fox-it they have seen numerous attempts and below are the domain names they have seen repeatedly and Yahoo security team have not been successful in blocking the infection.
One of the best ways to protect from such infections is to block ads completely by using adblock
The malicious advertisements are iframes hosted on the following domains as reported by fox-it security.
- blistartoncom.org (18.104.22.168), registered on 1 Jan 2014
- slaptonitkons.net (22.214.171.124), registered on 1 Jan 2014
- original-filmsonline.com (126.96.36.199)
- funnyboobsonline.org (188.8.131.52)
- yagerass.org (184.108.40.206)
Visiting the maladvertisements, the user get redirected to a “Magnitude” exploit kit via a HTTP redirect to unknown random subdomains.
The exploit kit exploits vulnerabilities in Java and installs a host of different malware including:
- Advertisement clicking malware
Ref : http://foxitsecurity.files.wordpress.com/2014/01/yahoo-ad-distribution.jpg