Yahoo Banner Ads Infecting Visitors With Malware
Over the past few days, Yahoo has been exposing visitors to fraudware banner ads and also ads that try to trick them into installing malware. The ads are displayed across numerous web portal sections, including Yahoo Mail, Yahoo Groups and Yahoo Astrology.
Some of the ads pitch women’s deodorant, but behind the scenes, they contact servers that have been used by previous rogue ads targeting high-traffic websites. Typically, the ads produce a pop up that looks strikingly similar to official Windows dialog pop-ups that urge the end user to download software to fix problems. Expedia, Rhapsody, MySpace, Excite, Blick, and CNN.com have all served up similar malicious ads in the past.
Attackers who inject their banners onto reputable sites usually take advantage of the highly decentralized way that online advertisements are sold. It’s not unusual for there to be a succession of affiliates, making it possible for an attacker to pose as an authorized agent of a name-brand product or service. In this case, Yahoo has gotten deceived into running ads that point to adtds2.promoplexer.com, which has been implicated in previous rogue banner attacks. Even if you don’t get redirected, the malvertizement still let’s the bad guys know that it is on display by sending info to adtds2.promoplexer.com/statsa.php?campaign=yahoo and adsraise.com/mbuyers/statistics.html
Among other malicious URL redirections there are:
eur.a1.yimg.com/java.europe.yimg.com/eu/any/yahoonew300×250.swf
ope.yahoo.com/eu/any/yahoonew728×90.swf
track.trackads.net/statsa.php?campaign=yahoo
Other sites that use Yahoo advertising (like Ebay) could potentially expose visitors to the malvertizement and fraudware sites.
So far emails were sent to three different Yahoo PR reps but until now there’s no indication anyone at the company is even aware of the problem.
An extremely efficient and simple way to avoid malware would be using the NoScript extension for Firefox. Even if you’ve whitelisted Yahoo, it will block JavaScript and Adobe Flash being sent from the attacker’s website.
Update: (May 3) After only 5 days, Yahoo have finally removed the infected ads and redirections mentioned above.
Posts
April 29th, 2008 at 12:35 pm
Can you please provide some sources? Cannot find any information other than this site. Would like to see some proof.
April 29th, 2008 at 12:37 pm
[…] across numerous web portal sections, including Yahoo Mail, Yahoo Groups and Yahoo Astrology.read more | digg story addthis_url = […]
April 29th, 2008 at 1:15 pm
Scott: As someone on digg said, more info can be found at http://msmvps.com/blogs/spywaresucks/default.aspx
April 29th, 2008 at 1:47 pm
[…] CyberInsecure.com Some of the ads pitch women’s deodorant, but behind the scenes, they contact servers that have […]
April 29th, 2008 at 2:59 pm
Malware has been shoved through ads for some time, and when it is, it’s generally weeded out fairly quickly. This is not something special to Yahoo, though having it go on for days is curious.
April 29th, 2008 at 3:36 pm
I have had several Yahoo users with major Malware infestations, and have suspected they were getting it from their Yahoo accounts for some time, because after doing a spybot and adware scan on Friday, by Tuesday their computers were back to their infected state. in a company of 30 people, it seemed odd that only 5 people in different departments were having this issue. Several other people surf basically the same sites, with no problems.
April 29th, 2008 at 3:36 pm
although it’s crummy, this is hard to be regulated on any ad network unless each review is consistently tracked. They need better reporting, but other than that, how can they be liable if someone changes their page after they go live? I suppose that Yahoo could put some sort of checksum
April 30th, 2008 at 6:33 am
i suspect that this is a microsoft backroom ploy to drive down yahoo for a better takeover price.
May 25th, 2008 at 3:58 am
[…] It’s not that my clients did anything wrong, most swear that the last healthy, operational session on the computer consisted of some simple email or an instant messenger session. And I believe them, especially since I noticed many victims of this little surge were using Yahoo email accounts. […]