Users visiting yahoo.com are being reportedly served with malicious advertisements, which when clicked upon and were redirected to an exploit kit via HTTP redirect.
Security firm FOX IT revealed yesterday that they came across instances where their customers’ systems were infected with different malware through a ‘Magnitude’ exploit kit. The exploit kit is known to exploit vulnerabilities in Java and installs a host of malware including ZeuS, Andromeda, Dorkbot/Ngrbot, Tinba/Zusy, Necurs among others.
The security company revealed that they detected signs of infection as early as December 30. FOX IT revealed that the malicious advertisements are iframes hosted on one of the following domains blistartoncom.org (192.133.137.59); slaptonitkons.net (192.133.137.100); original-filmsonline.com (192.133.137.63); funnyboobsonline.org (192.133.137.247) and yagerass.org (192.133.137.56).
Once visited users get redirected to random subdomains of boxsdiscussing.net, crisisreverse.net, limitingbeyond.net and others which are all hosted on a single IP address resolving to 193.169.245.78.
The company claims that visits to the malicious site could have been as high as 300K per hour at its peak and if a typical 9 percent infection rate is taken, as many as 27,000 systems could have been infected every hour.
“Based on the same sample, the countries most affected by the exploit kit are Romania, Great Brittain and France. At this time it’s unclear why those countries are most affected, it is likely due to the configuration of the malicious advertisements on Yahoo”, notes FOX IT on its blog.
