"Hundreds of thousands" of Yahoo users have been sent malware since at least December 30th; the distribution stems from compromised advertising servers.



The issue was discovered on January 3, and according to a blog post from cyber defense specialists FOX IT, malicious payloads were being delivered to around 300,000 users per hour. It appears that the attacks are from this single IP address: 193.169.245.78 which was found to be hosted in the Netherlands.

Clients visiting yahoo.com received advertisements served by ads.yahoo.com. Some of the advertisements are malicious. Those malicious advertisements are iframes hosted on the following domains:

blistartoncom.org (192.133.137.59), registered on 1 Jan 2014

slaptonitkons.net (192.133.137.100), registered on 1 Jan 2014

original-filmsonline.com (192.133.137.63)

funnyboobsonline.org (192.133.137.247)

yagerass.org (192.133.137.56)

Upon visiting the malicious advertisements users get redirected to a “Magnitude” exploit kit via a HTTP redirect to seemingly random subdomains of:

boxsdiscussing.net

crisisreverse.net

limitingbeyond.net

and others

The countries most affected by the exploit kit are Romania, Great Brittain and France. At this time it’s unclear why those countries are most affected.

At this point FOX IT is not certain "which specific group is behind this attack, but the attackers are clearly financially motivated." They go on to suggest that the criminals may be selling control of the infected computers to other cyber criminals.

FOX IT also advises users to block access to the following IP-addresses of the malicious advertisement and the exploit kit:

Block the 192.133.137/24 subnet
Block the 193.169.245/24 subnet

"At Yahoo, we take the safety and privacy of our users seriously," a Yahoo spokeswoman said in a Saturday email to the Washington Post. "We recently identified an ad designed to spread malware to some of our users. We immediately removed it and will continue to monitor and block any ads being used for this activity."