Article Lead Image

Thousands of Yahoo visitors hit with malware attack

The U.K., France, and Romania were the hardest hit.


Dell Cameron


Over the past few days, visitors to Yahoo’s domains may have picked up more than search results and news. That is, according to two Internet security firms who identified malicious code in the company’s advertising servers, which had been infecting hundreds of thousands of users with malware. 

According to Fox IT, which specializes in IT security and digital forensics, the attacks appear to be financially motivated and originating from servers within the Netherlands. The attacks appear to have started on December 30, 2013. As many as 300,000 users per hour visited the infected sites during that time. It’s estimated that as many as 27,000 users per hour may have been infected.

The “Magnitude” exploit kit, (also known as Popads) which redirected users from advertisements serviced by, may have infected users with a variety of malware, including ZeuS, Andromeda, Dorkbot, and others. The kit is said to infect users by exploiting vulnerabilities in Java. 

A second security researcher, Mark Loman, reported the attack to his followers on Twitter. Loman is a malware analyst at Surfright, also located in the Netherlands.

Yahoo’s ad[.]yahoo[.]com redirecting to exploit kit, malware ht @lennartdegraaff

— Mark Loman (@markloman) January 3, 2014

According to Fox IT, the majority of the attacks infected users in Romania, Great Britain and France. Although the researchers were unsure why the attackers selected these countries, they said it was likely by design.

In a statement, Yahoo told reporters: “We recently identified an ad designed to spread malware to some of our users. We immediately removed it and will continue to monitor and block any ads being used for this activity.” 

“It appears the traffic to the exploit kit has significantly decreased. It looks like Yahoo is taking steps to fix the problem,” Fox IT told users. The firm also advised users to block access to 192.133.137/24 and 193.169.245/24 subnet, the IP addresses of the malicious advertisement and exploit kit.

Update: Yahoo has issued the following updated statement: 

At Yahoo, we take the safety and privacy of our users seriously.  From December 31 to January 3 on our European sites, we served some advertisements that did not meet our editorial guidelines –specifically, they spread malware. On January 3, we removed these advertisements from our European sites. Users in North America, Asia Pacific and Latin America were not served these advertisements and were not affected.  Additionally, users using Macs and mobile devices were not affected.

We will continue to monitor and block any advertisements being used for this activity.  We will post more information for our users shortly.

H/T Washington Post | Illustration by Dell Cameron

Share this article

*First Published:

The Daily Dot