After the malicious activity was detected and reported by Dutch security firm Fox-IT, Yahoo has said they've resolved the problem that led to malicious ads being served from ads.yahoo.com.
It isn't clear how the malicious adverts came to be. The likely cause is that an advertiser purchased legitimate ad space, and once all the required security checks were passed, they switched said ads for harmful ones.
During the attack, which started on December 31 and lasted until January 3, visitors to Yahoo's domains from the EU were redirected to sites hosting the Magnitude exploit kit. There was no interaction required on the user's part, as simply viewing the ad was enough to trigger the redirect.
Once redirected, the attackers targeted vulnerable Java installations, and attempted to install a wide range of malware, including Zeus, Andromeda, and malware known to use the infected host as a Bitcoin mining drone. At peak, estimates placed the infection rate at roughly 27,000 systems per-hour.
In a statement, Yahoo stressed that the attack was limited to visitors in the EU, and that users in North America, Asia, and Latin America were not impacted. Moreover, mobile users and Mac users were also exempt.
"From December 31 to January 3 on our European sites, we served some advertisements that did not meet our editorial guidelines -- specifically, they spread malware. On January 3, we removed these advertisements from our European sites. Users in North America, Asia Pacific and Latin America were not served these advertisements and were not affected. Additionally, users using Macs and mobile devices were not affected." - Yahoo
In a statement to the Hash, ESET's Cameron Camp and Lysa Myers said that some basic endpoint protections would have helped those impacted by this attack, including an updated AV client and basic vulnerability mitigation, such as updating their third-party software. Camp also noted that products such as Ad Block Plus (a common browser add-on) would have also halted the attack. This finding was confirmed by Fox-IT in their initial report.
"The exploits used in this threat, from what I can see, were using exploits that were over a year old. It's likely that an up to date browser and plugins could have possibly prevented the malware from dropping," Myers said.
"Running a malware suite "on access" (that is to say, in real time), heuristic or behavioral detection might have caught these well-known malware families. And if those two layers had not stopped the malware, a firewall might have detected a suspicious network connection, when the malware attempted to call home for instructions."
When advertising networks are compromised, the criminals behind the attack are exploiting trust. Yahoo is just the latest example of a media firm falling victim to malicious adverts. In 2009, Gawker ads were hijacked in order to deliver Rogue Antivirus installations. And later that same year, the New York Times faced a similar attack. In both cases, the malicious ads were harmless at first, but changed once the ad manager's guard was down.
Yahoo hasn't explained where the malicious ads came from, so if it wasn't a case of a legit ad going rogue, that leaves the door open for an ad server compromise. The media giant has promised to share additional details with customers soon.