CyberInsecure.com

Daily cyber threats and internet security news: network security, online safety and latest security alerts
April 28th, 2008

Yahoo Banner Ads Infecting Visitors With Malware

Over the past few days, Yahoo has been exposing visitors to fraudware banner ads and also ads that try to trick them into installing malware. The ads are displayed across numerous web portal sections, including Yahoo Mail, Yahoo Groups and Yahoo Astrology.

Some of the ads pitch women’s deodorant, but behind the scenes, they contact servers that have been used by previous rogue ads targeting high-traffic websites. Typically, the ads produce a pop up that looks strikingly similar to official Windows dialog pop-ups that urge the end user to download software to fix problems. Expedia, Rhapsody, MySpace, Excite, Blick, and CNN.com have all served up similar malicious ads in the past.

Attackers who inject their banners onto reputable sites usually take advantage of the highly decentralized way that online advertisements are sold. It’s not unusual for there to be a succession of affiliates, making it possible for an attacker to pose as an authorized agent of a name-brand product or service. In this case, Yahoo has gotten deceived into running ads that point to adtds2.promoplexer.com, which has been implicated in previous rogue banner attacks. Even if you don’t get redirected, the malvertizement still let’s the bad guys know that it is on display by sending info to adtds2.promoplexer.com/statsa.php?campaign=yahoo and adsraise.com/mbuyers/statistics.html

Among other malicious URL redirections there are:

eur.a1.yimg.com/java.europe.yimg.com/eu/any/yahoonew300x250.swf

ope.yahoo.com/eu/any/yahoonew728x90.swf

track.trackads.net/statsa.php?campaign=yahoo

Other sites that use Yahoo advertising (like Ebay) could potentially expose visitors to the malvertizement and fraudware sites.

So far emails were sent to three different Yahoo PR reps but until now there’s no indication anyone at the company is even aware of the problem.

An extremely efficient and simple way to avoid malware would be using the NoScript extension for Firefox. Even if you’ve whitelisted Yahoo, it will block JavaScript and Adobe Flash being sent from the attacker’s website.

Update: (May 3) After only 5 days, Yahoo have finally removed the infected ads and redirections mentioned above.

The web advertising featuring pop up windows are often a viral threat for the viewer. But even a webmaster cannot pick its genius.
This is why hosting companies prefer marketing measures like pay per click instead.

Share this item with others:

More on CyberInsecure:
  • Malicious Adobe Flash Ads Hit High-Profile Websites
  • Malware Torrent Delivered Over Google, Yahoo! Ad Services
  • MLB.com Major League Baseball Website Infected Visitors Through Ads
  • Scareware Malvertizements Approved By Google And Microsoft Ad Systems, Served On msnbc.com, mail.live.com
  • Malicious Advertisements Spotted On Yahoo! Philippines , Visitors Infected With Trojan

  • If you found this information useful, consider linking to it from your own website.
    Just copy and paste the code below into your website (Ctrl+C to copy)
    It will look like this: Yahoo Banner Ads Infecting Visitors With Malware

    12 Responses to “Yahoo Banner Ads Infecting Visitors With Malware”

    1. Can you please provide some sources? Cannot find any information other than this site. Would like to see some proof.


    2. [...] across numerous web portal sections, including Yahoo Mail, Yahoo Groups and Yahoo Astrology.read more | digg story addthis_url = [...]


    3. CyberInsecure Says:
      April 29th, 2008 at 1:15 pm

      Scott: As someone on digg said, more info can be found at http://msmvps.com/blogs/spywaresucks/default.aspx


    4. [...] CyberInsecure.com Some of the ads pitch women’s deodorant, but behind the scenes, they contact servers that have [...]


    5. Malware has been shoved through ads for some time, and when it is, it’s generally weeded out fairly quickly. This is not something special to Yahoo, though having it go on for days is curious.


    6. I have had several Yahoo users with major Malware infestations, and have suspected they were getting it from their Yahoo accounts for some time, because after doing a spybot and adware scan on Friday, by Tuesday their computers were back to their infected state. in a company of 30 people, it seemed odd that only 5 people in different departments were having this issue. Several other people surf basically the same sites, with no problems.


    7. although it’s crummy, this is hard to be regulated on any ad network unless each review is consistently tracked. They need better reporting, but other than that, how can they be liable if someone changes their page after they go live? I suppose that Yahoo could put some sort of checksum


    8. linux geek Says:
      April 30th, 2008 at 6:33 am

      i suspect that this is a microsoft backroom ploy to drive down yahoo for a better takeover price.


    9. [...] It’s not that my clients did anything wrong, most swear that the last healthy, operational session on the computer consisted of some simple email or an instant messenger session. And I believe them, especially since I noticed many victims of this little surge were using Yahoo email accounts. [...]


    10. Currently, I am having a problem with Yahoo Mail login. It redirects to US.mc.823mail.yahoo, then to US.rd.yahoo.com and then to US.f823.mail.com unwanted ads are popping up from time to time. I have Norton’s firewall in place. So, I am wondering if Yahoo ads are a problem again? I have tried several anti-virus programs, starting with Norton and none of them has found anything as of yet. But, those ads don’t show up on their own without a cause.


    11. Redirection to mail.com is very suspicious. There is a chance your:

      1. DNS is poisoned
      2. Router settings changed by some malware
      3. Hosts file was changed by someone/something
      4. Browser is infected with something that disrupts normal browsing

      In any case, this redirection is abnormal. Check your system for unexplained outgoing traffic and scan as soon as possible with FEW anti-virus/anti-malware products, as Norton can not be trusted.


    12. Jeff Rogers Says:
      March 4th, 2009 at 6:06 am

      I’ve also found Malware embedded in Rogers/Yahoo web mail pages. It’s stuck in ONLY ONE of the continuously changing ads on the web page, this one is called “Be a Better Shopper” and it shows a picture ad of what looks like an iPhone in the landscape position with some albums being displayed. If you put your mouse on the picture (Don’t click it) the url at the bottom with appear and tell you that a Malware program called “Yieldmanager” is about to be installed on your computer if you click on it. I’ve contacted Rogers Technical support and they say they can’t re-create this situation and that the problem is probably on my end. I know for sure that it’s on their server and can re-create it anytime I want by just logging in to the web-mail page. Rogers doesn’t care about this and blames Yahoo. I don’t pay Yahoo I pay Rogers but I’m not getting any joy here at all.

      Does anyone have any info on who I’d complain to that will make any difference? Someone mentioned Yahoo and that they have removed other spyware and malware, but they are just replacing it with this one. Yieldmanager is a nasty program to try and get off your computer and just now Panda recognizes it, but only after it’s on your computer. HELP

      Jeff


    Leave a Reply

    Comments with unsolicited links to other resources will be marked as spam. DO NOT leave links in comments. Please leave your real email, it wont be published.

    *
    To prove you're a person (not a spam script), type the security word shown in the picture. Click on the picture to hear an audio file of the word.
    Click to hear an audio file of the anti-spam word