Yahoo Banner Ads Infecting Visitors With Malware
Over the past few days, Yahoo has been exposing visitors to fraudware banner ads and also ads that try to trick them into installing malware. The ads are displayed across numerous web portal sections, including Yahoo Mail, Yahoo Groups and Yahoo Astrology.
Some of the ads pitch women’s deodorant, but behind the scenes, they contact servers that have been used by previous rogue ads targeting high-traffic websites. Typically, the ads produce a pop up that looks strikingly similar to official Windows dialog pop-ups that urge the end user to download software to fix problems. Expedia, Rhapsody, MySpace, Excite, Blick, and CNN.com have all served up similar malicious ads in the past.
Attackers who inject their banners onto reputable sites usually take advantage of the highly decentralized way that online advertisements are sold. It’s not unusual for there to be a succession of affiliates, making it possible for an attacker to pose as an authorized agent of a name-brand product or service. In this case, Yahoo has gotten deceived into running ads that point to adtds2.promoplexer.com, which has been implicated in previous rogue banner attacks. Even if you don’t get redirected, the malvertizement still let’s the bad guys know that it is on display by sending info to adtds2.promoplexer.com/statsa.php?campaign=yahoo and adsraise.com/mbuyers/statistics.html
Among other malicious URL redirections there are:
eur.a1.yimg.com/java.europe.yimg.com/eu/any/yahoonew300x250.swf
ope.yahoo.com/eu/any/yahoonew728x90.swf
track.trackads.net/statsa.php?campaign=yahoo
Other sites that use Yahoo advertising (like Ebay) could potentially expose visitors to the malvertizement and fraudware sites.
So far emails were sent to three different Yahoo PR reps but until now there’s no indication anyone at the company is even aware of the problem.
An extremely efficient and simple way to avoid malware would be using the NoScript extension for Firefox. Even if you’ve whitelisted Yahoo, it will block JavaScript and Adobe Flash being sent from the attacker’s website.
Update: (May 3) After only 5 days, Yahoo have finally removed the infected ads and redirections mentioned above.
The web advertising featuring pop up windows are often a viral threat for the viewer. But even a webmaster cannot pick its genius. |
More on CyberInsecure:
April 29th, 2008 at 12:35 pm
Can you please provide some sources? Cannot find any information other than this site. Would like to see some proof.
April 29th, 2008 at 12:37 pm
[…] across numerous web portal sections, including Yahoo Mail, Yahoo Groups and Yahoo Astrology.read more | digg story addthis_url = […]
April 29th, 2008 at 1:15 pm
Scott: As someone on digg said, more info can be found at http://msmvps.com/blogs/spywaresucks/default.aspx
April 29th, 2008 at 1:47 pm
[…] CyberInsecure.com Some of the ads pitch women’s deodorant, but behind the scenes, they contact servers that have […]
April 29th, 2008 at 2:59 pm
Malware has been shoved through ads for some time, and when it is, it’s generally weeded out fairly quickly. This is not something special to Yahoo, though having it go on for days is curious.
April 29th, 2008 at 3:36 pm
I have had several Yahoo users with major Malware infestations, and have suspected they were getting it from their Yahoo accounts for some time, because after doing a spybot and adware scan on Friday, by Tuesday their computers were back to their infected state. in a company of 30 people, it seemed odd that only 5 people in different departments were having this issue. Several other people surf basically the same sites, with no problems.
April 29th, 2008 at 3:36 pm
although it’s crummy, this is hard to be regulated on any ad network unless each review is consistently tracked. They need better reporting, but other than that, how can they be liable if someone changes their page after they go live? I suppose that Yahoo could put some sort of checksum
April 30th, 2008 at 6:33 am
i suspect that this is a microsoft backroom ploy to drive down yahoo for a better takeover price.
May 25th, 2008 at 3:58 am
[…] It’s not that my clients did anything wrong, most swear that the last healthy, operational session on the computer consisted of some simple email or an instant messenger session. And I believe them, especially since I noticed many victims of this little surge were using Yahoo email accounts. […]
September 26th, 2008 at 9:33 am
Currently, I am having a problem with Yahoo Mail login. It redirects to US.mc.823mail.yahoo, then to US.rd.yahoo.com and then to US.f823.mail.com unwanted ads are popping up from time to time. I have Norton’s firewall in place. So, I am wondering if Yahoo ads are a problem again? I have tried several anti-virus programs, starting with Norton and none of them has found anything as of yet. But, those ads don’t show up on their own without a cause.
September 26th, 2008 at 10:28 am
Redirection to mail.com is very suspicious. There is a chance your:
1. DNS is poisoned
2. Router settings changed by some malware
3. Hosts file was changed by someone/something
4. Browser is infected with something that disrupts normal browsing
In any case, this redirection is abnormal. Check your system for unexplained outgoing traffic and scan as soon as possible with FEW anti-virus/anti-malware products, as Norton can not be trusted.
March 4th, 2009 at 6:06 am
I’ve also found Malware embedded in Rogers/Yahoo web mail pages. It’s stuck in ONLY ONE of the continuously changing ads on the web page, this one is called “Be a Better Shopper” and it shows a picture ad of what looks like an iPhone in the landscape position with some albums being displayed. If you put your mouse on the picture (Don’t click it) the url at the bottom with appear and tell you that a Malware program called “Yieldmanager” is about to be installed on your computer if you click on it. I’ve contacted Rogers Technical support and they say they can’t re-create this situation and that the problem is probably on my end. I know for sure that it’s on their server and can re-create it anytime I want by just logging in to the web-mail page. Rogers doesn’t care about this and blames Yahoo. I don’t pay Yahoo I pay Rogers but I’m not getting any joy here at all.
Does anyone have any info on who I’d complain to that will make any difference? Someone mentioned Yahoo and that they have removed other spyware and malware, but they are just replacing it with this one. Yieldmanager is a nasty program to try and get off your computer and just now Panda recognizes it, but only after it’s on your computer. HELP
Jeff