An estimated 2.5 million Yahoo users were likely infected with malicious software, after hackers hijacked some of the company's advertisements, and used them to attack web surfers. According to cyber security firm Fox IT, which reported the breach, some advertisements viewed by clients from December 30 through January 2 were infected with malware. CNET explains that users who saw pages with the ads were redirected to sites that install intrusive software onto their computers, even if they didn't click on the advertisement.
Fox IT estimates that 27,000 Yahoo clients' computers were infected every hour over the four-day period:
Based on a sample of traffic we estimate the number of visits to the malicious site to be around 300k/hr. Given a typical infection rate of 9% this would result in around 27,000 infections every hour.
According to security firm SurfRight, that amounts to roughly 2.5 million users overall. Fox IT explains that American users were probably not vulnerable to the breach:
Based on the same sample, the countries most affected by the exploit kit are Romania, Great Britain and France. At this time it’s unclear why those countries are most affected, it is likely due to the configuration of the malicious advertisements on Yahoo.
Yahoo's response to the incident has been rather minimal. The company issued a statement on Saturday that acknowledged the problem, but did not provide a detailed account of the episode:
At Yahoo, we take the safety and privacy of our users seriously. We recently identified an ad designed to spread malware to some of our users. We immediately removed it and will continue to monitor and block any ads being used for this activity.
CNET reports that the company offered more information on Sunday:
On Friday, January 3 on our European sites, we served some advertisements that did not meet our editorial guidelines, specifically they spread malware. We promptly removed these advertisements. Users in North America, Asia Pacific and Latin America were not served these advertisements and were not affected. Additionally, users using Macs and mobile devices were not affected.
We're glad to hear that "spreading malware" doesn't meet Yahoo's editorial guidelines, but we're still curious about what actually happened - and how worried infected users should be. Yahoo did, at least, later update the statement to include that the malware infections started on December 30.
SurfRight stepped in to offer more information. The company posted an explanation of the types of malware in the ads, as identified by Fox IT. According to SurfRight, users were susceptible to click fraud malware that runs multiple processes "to open web pages with ads belonging to the affiliate ID of the criminal." Others allow backdoor access to and remote control of personal computers, steal passwords and usernames, block websites, and more. SurfRight explains that users with older machines were most likely hit:
Not every ad on the Yahoo advertisement network contained the malicious iframe, but if you have an outdated version of Java Runtime... and you used Yahoo Mail the last 6 days, your computer is likely infected. In addition, we also received reports that the malware was spreading through ads in Yahoo Messenger as well. So if you used Yahoo’s services lately, it’s a good idea to scan your computer for malware.
This is not the first time Yahoo is in the spotlight over shoddy security. Back in November, the company was reportedly among those spied on by the NSA, after having said previously that it was refusing federal requests for user data. At least Yahoo's not alone: Google and Twitter were hacked by botnets, Facebook was recently accused of reading private messages, and Hulu was accused of sharing information with Facebook. Welcome to the new normal.
This article was originally published at http://www.thewire.com/technology/2014/01/yahoo-malware/356715/