Questions left unanswered about Yahoo malware attack

Yahoo says that mostly non-mobile Windows users in Europe were attacked, but hasn't provided any public guidance on the number of affected users or what they should do.

Dan Farber
3 min read

On Saturday, Fox IT, a security firm in the Netherlands, discovered that some visitors to Yahoo.com over the last few days have been infected with malware. Visitors to pages with malicious ads were redirected to sites armed with code that exploits vulnerabilities in Java and installs a variety of different malware.

Following news of the exploit, Yahoo has issued two statements to the press, but so far nothing on its public Tumblr blog, where it provides updates on products and services. On Saturday, a Yahoo spokesperson said:

At Yahoo, we take the safety and privacy of our users seriously. We recently identified an ad designed to spread malware to some of our users. We immediately removed it and will continue to monitor and block any ads being used for this activity.

On Sunday, Yahoo offered a few more details, notably that the exploit impacted European users, and that Macintosh and mobile users were safe.

At Yahoo, we take the safety and privacy of our users seriously. On Friday, January 3 on our European sites, we served some advertisements that did not meet our editorial guidelines, specifically they spread malware. We promptly removed these advertisements. Users in North America, Asia Pacific and Latin America were not served these advertisements and were not affected. Additionally, users using Macs and mobile devices were not affected.

Late Sunday evening, Yahoo updated its previous statement, noting that the malicious ads were served between December 31 and January 3, not just on January 3. The offending ads were taken down on January 3.

At this point, Yahoo hasn't addressed any of the details, such as how the malware exploit got into its Web pages, how many users are impacted, and what victims of the attack should do. The company may still be gathering data.

According to Maarten van Dantzig of Fox IT, just the ad being displayed is enough to redirect users to the malware injection site. The security firm estimated that a typical infection rate of 9 percent would result in around 27,000 infections every hour.

Surfright, another security company based in the Netherlands, offered its take on the Yahoo.com ad malware attack and the potential consequences. Surfright estimates that more than 2 million computers have been infected. In a blog post, a Surfright researcher wrote:

Not every ad on the Yahoo advertisement network contained the malicious iframe, but if you have an outdated version of Java Runtime (you can check here) and you used Yahoo Mail the last 6 days, your computer is likely infected. In addition, we also received reports that the malware was spreading through ads in Yahoo Messenger as well. So if you used Yahoo's services lately, it's a good idea to scan your computer for malware.

The malware that could end up on a users' computer includes exploits such as click fraud (opening Web pages with ads to generate false clicks), remote control of a computer, disabling antivirus software, and theft of usernames and passwords, according to Surfright.

Yahoo's statement that some advertisements violated the company's editorial guidelines by spreading malware isn't the most salient or useful explanation. CNET has asked Yahoo for further information about the malware incident.

Last updated: 11:30 p.m. PT, January 5, 2014