For a period of around 4 days, millions of users from Europe who visited Yahoo.com might have had their computers infected with malware served via malicious advertisements.
According to Fox-IT, the company that first spotted the attack, cybercriminals compromised ads.yahoo.com since as early as December 30, 2013. Malicious iframes placed on the website redirected internauts to domains hosting the Magnitude exploit kit.
The exploit kit leveraged Java vulnerabilities to push various pieces of malware, including ZeuS, Andromeda, Dorkbot, Tinba (Zusy), and Necurs.
Yahoo says that only users from Europe are impacted. Fox-IT says that most infections have been detected in Romania, the UK, and France.
The infection was cleaned up by Yahoo on January 3. However, researchers from HitmanPro report that there might be as many as 2.5 million impacted computers.
It’s worth noting that victims didn’t have to click on the malicious ads in order to have their devices infected with malware. Users from Europe who visited Yahoo.com from a computer running a vulnerable version of Java should immediately scan their computers with an up-to-date antivirus program to make sure they’re not a victim of this attack.
It’s uncertain who is behind the operation, but the cybercriminals are clearly motivated by financial gain, experts say.
“This particular malware distribution method is extremely popular among cybercriminals because it allows the attacker to target the entire audience of a high-profile website, such as Yahoo, the number of victims being proportionate with the traffic,” Bitdefender Chief Security Strategist Catalin Cosoi told Softpedia.
“Even though the portal identified and removed the dangerous ads, users who are already infected will continue to feel the effects of the malware, primarily through loss of money and sensitive data, which is why a quick disinfection is crucial,” the expert added.