Yahoo.com visitors over the last few days may have been served with malware via the Yahoo ad network, according to Fox IT, a security firm in the Netherlands. Users visiting pages with the malicious ads were redirected to sites armed with code that exploits vulnerabilities in Java and installs a variety of different malware.
Correction:This story previously stated that the ads required a click to trigger the exploit. According to Maarten van Dantzig of Fox IT, the ad being displayed is enough to redirect users to the malware injection site. We are checking with Yahoo for further explanation.
In a blog post, Fox IT estimated that, based on sample traffic, the number of visits to the site carrying the malicious code was visited around 300,000 times per hour.
"Given a typical infection rate of 9% this would result in around 27,000 infections every hour. Based on the same sample, the countries most affected by the exploit kit are Romania, Britain, and France. At this time it's unclear why those countries are most affected, it is likely due to the configuration of the malicious advertisements on Yahoo," Fox IT said on its blog.
The security firm found evidence that the redirects go to domains hosted in the Netherlands, but was unable to identity the perpetrators. Traffic has slowed to the exploit, Fox IT noted, suggesting that Yahoo is addressing the vulnerability.
Yahoo confirmed the presence of malware on its servers and said it had taken steps to combat the issue.
"We recently identified an ad designed to spread malware to some of our users," Yahoo said Saturday in a statement. "We immediately removed it and will continue to monitor and block any ads being used for this activity."
In a further statement issued Sunday, a Yahoo spokesperson said:
On Friday, January 3, on our European sites, we served some advertisements that did not meet our editorial guidelines, specifically, they were designed to spread malware. We promptly removed these advertisements. Users in North America, Asia Pacific and Latin America were not served these advertisements and were not affected. Additionally, users using Macs and mobile devices were not affected.
Yahoo subsequently modified its statement, adding that malicious ads were served between December 31 and January 3, not just Jan. 3. The spokesperson added that the company plans to post more information on the malware incident for its users.
Updated January 5, 2014, with additional information from Yahoo.