Yahoo Compromised to Deliver Exploit Kits

On February 3, Fox-IT posted a blog article on malicious advertisements being served via Yahoo! which was then discussed by CNN. The compromise was active from December 31, 2013 to February 3, 2014.

Fox-IT identified a single IP address that was used to deliver the exploit kit and based on their same traffic, they estimated visits to the site at around 300k/hr. With a typical infection rate of 9%, this would result in a rate of 27,000 infections per hour. The countries most affected were identified as are Romania, Great Brittain and France

Infection Flow Chart

The following chart is from Fox-IT’s blog article and shows how an ad injected in a user’s web page browsing ultimately leads to the installation of an exploit kit.

Yahoo Ad Server Compromise

Malware / Exploit Kits

Fox-IT indicates that a number of different exploit kits were used including the ZeuS kit which has been posted on Github.