After Christmas, whilst everyone was enjoying their gifts from loved ones, Yahoo were busy responding to a threat which took advantage of Yahoo’s Java-based ad network.
The attack was originally believed to have been restricted only to European Users on January 3, 2014, but then the range of dates was expanded to December 31st,2013 – January 3, 2014. Yahoo have now however revealed that the attack actually took place between December 27, 2013 – January 3, 2014, and affected users outside of the European Union as well.
Initial estimates of affected customers is said to be around 2 million, although quite exactly how many customers might have been compromised during the four-day attack could remains unclear. Yahoo said that the attack was a result of an account being compromised, but which account was never shared. However, the company state that account was suspended and the incident is being investigated by the law enforcement agency.
Yahoo cover up?
According to reports, users that visited Yahoo sites during the attack window, including Yahoo Mail and Yahoo IM, could have been shown adverts that were injected with Malware and simply viewing these adverts could have installed malicious code using code which exploited vulnerabilities in Java on their PC’s without their consent.
US-based security company Light Cyber said that one of the malware programs was designed to turn infected computers into Bitcoin mining machines.
Many of our customers share threat intelligence with our Magna Cloud, so our research lab noticed this unknown malware and attack campaign coming from our customers’ networks and investigated the specific case. As part of the investigation, we found a few tools that were downloaded by the malware. This specific attack campaign incorporated a variety of different monetization techniques using a variety of malwares. The attackers made sure they exploit each of the millions of infected machines to its full worth by employing Bitcoin miners, WebMoney wallet hackers, personal information extraction, banking information extraction, and generic remote access tools.
Yahoo acknolwedged the attack, and eventually (probably) came clean with the correct attack window. Instead of offering specific advice to any infected customers, Yahoo instead posts recommendations for consumers to ensure they keep their Windows installation up to date, applying the correct security fixes, to ensure they are not left vulnerable.