Up to 27,000 people an hour were infected by the malicious advertisements served by Yahoo, which drove users to a raft of dodgy websites including funnyboobsonline.org and yagerass.com.
The scam, which Yahoo now claims to have resolved, was discovered by cyber defence and IT security company Fox IT, which found its clients were being infected after visiting the website.
The company claims the UK, France and Romania were the countries most affected by the issue. It said in a blogpost: “Upon visiting the malicious advertisements users get redirected to a ‘Magnitude’ exploit kit via a HTTP redirect to seemingly random subdomains. All those are served from a single IP address: 193.169.245.78, which appears to be hosted in the Netherlands.”
This attack exploits vulnerabilities in Java and can install a host of malware including Zeus, Andromeda, Dorkbot/Ngrbot, and advertisement clicking malware Tinba, Zusy and Necurs.
Fox IT said that users did not need to click on the ads to receive the malware, they could have been infected simply by visiting a webpage that contains infected ads.
Fox IT worked out from a sample of traffic that the number of visits to the malicious website were around 300,000 per hour.
“Given a typical infection rate of 9%, this would result in around 27,000 infections every hour,” the security firm said. “It is unclear which specific group is behind this attack, but the attackers are clearly financially motivated.”