Image via CrunchBase
Last week, as many as two million users, mostly based in Europe, may have been on the receiving end of malware. How? Through Yahoo ads that were delivered from its homepage. Yahoo eventually blocked the attack, but it took them four days before the problem was resolved.
How did this happen? According to Search Engine Watch:
The ads were served in iframes by Yahoo’s advertising service, and were hosted on external sites. Upon clicking the advertisements, users would be redirected to a selection of other domains, all reporting the same Netherlands-based IP address. The malware users were faced with money-grabbing Zeus Trojan, botnet software Andromeda and other malware associated with advertising.
Some of the malware would actually turn the infected PCs into bitcoin miners. The machine would be set to work, performing the necessary calculations to “mine” for bitcoin. However, rather than rewarding the user with any mined bitcoins, they would go to those who wrote the malware, draining system resources in the process without the user ever being aware of anything going on.
The attacks targeted outdated versions of Java. Java is commonly installed on browsers like Internet Explorer, Firefox, Chrome and Safari to aid in allowing for websites to become more interactive. However, its function has been superseded for this purpose by Flash, JavaScript and other similar technologies.
It certainly doesn’t help that most zero-day attacks are aimed at Java than anything else, according to Steve Regan of CSO,
The only way for the exploits to work is to have outdated versions of Java on your system. If Java is up to date, then the odds are, you’re safe. However, I don’t trust Java, so unless you absolutely need it, my advice is to uninstall it from your system.
Users were identified as coming primarily from Europe. According to Information Week:
Yahoo said it acted quickly after learning of the attacks, and said they appeared to target only European users. ‘These advertisements were taken down on Friday, January 3,’ the spokeswoman said. ‘Users in North America, Asia Pacific, and Latin America were not served these advertisements, and were not affected. Additionally, users using Macs and mobile devices were also not affected.’
However, Yahoo’s definition of having acted quickly might differ IT security firms, not to mention users’ whose PCs were infected. Information Week says:
Fox-IT said the attacks appeared to have begun on Monday, Dec. 30. Yahoo initially disagreed, saying in a statement on Friday, Jan. 3, that the attacks had started that day.
But by Monday, the company had revised its assessment. “Upon further investigation, we discovered that the advertisements were served between December 31 [to] January 3 — not just on January 3,” a company spokeswoman said via email.
4 days isn’t exactly what you would call having “acted quickly”, especially when referring to a security breach of this magnitude. Not only did they take longer than they should have, they have also provided minimal information about how the exploit got through to their ad network and what victims of the attack should do.
Dan Farber of CNET says:
The malware that could end up on a users’ computer includes exploits such as click fraud (opening Web pages with ads to generate false clicks), remote control of a computer, disabling antivirus software, and theft of usernames and passwords, according to Surfright.
At this point, they might still be gathering data, which they say as much in a statement:
“We will continue to monitor and block any advertisements being used for this activity,” the company added. “We will post more information for our users shortly.”