Malicious Ads from Yahoo

Published: 2014-01-04
Last Updated: 2014-01-04 13:49:34 UTC
by Tom Webb (Version: 1)
5 comment(s)

According to a blog post from fox-it.com, they found ads.yahoo.com serving malicious ads from Yahoo's home page as early as December 30th. The malicious traffic appeared to come from the following subnets 192.133.137.0/24 and 193.169.245.0/24. Most infections seem to be in Europe.   Yahoo appears to be aware and addressing the issue, according to the blog.

Has anyone else seen this?

--

Tom Webb

Keywords:
5 comment(s)

Comments

Both registrants are Russian:

One box is in the Netherlands, but the owner is in Kiev:

inetnum: 193.169.244.0 - 193.169.245.255
descr: FOP Zemlyaniy Dmitro Leonidovich
country: NL
organisation: ORG-FZDL2-RIPE
org-name: FOP Zemlyaniy Dmitro Leonidovich
org-type: LIR
address: FOP Zemlyaniy Dmitro Leonidovich
address: Zemlyaniy Dmitro
address: Onore de Balzaka str. 86, app.29
address: 02232
address: Kyiv
address: UKRAINE

The second is likely in California, but run by a Russian:

NetRange: 192.133.136.0 - 192.133.143.255
OrgName: Serverel
OrgId: ST-1
Address: 970 Corte Madera ave
City: Sunnyvale
StateProv: CA
PostalCode: 94085
Country: US
OrgTechHandle: KUSHN-ARIN
OrgTechName: Kushnireuski, Andrei
OrgTechPhone: +1-877-246-7863
OrgTechEmail: noc@serverel.com

I suspect there is a connection. ;-)
[quote=comment#29003]Both registrants are Russian:

[...]
address: Kyiv
address: UKRAINE
[/quote]

Kyiv is the capital of _Ukraine_.
(btw. In Russian it's spelled "Kiev".)

[quote=comment#29003]
Kushnireuski, Andrei
[/quote]

https://en.wikipedia.org/wiki/Kushnir:
"Kushnir [...] is a Ukrainian and Jewish surname."
And
https://en.wikipedia.org/wiki/Ski_%28disambiguation%29:
"-ski, a common ending of predominantly Polish surnames of Slavonic origin"

pryvit (Ukrainian)
pozdrowienie (Polish)
regards (English)
Does anyone know if this was a Blackhole toolkit on the backend? It SOUNDS like it from the description, but nobody seems to be actually saying so.
Does anyone know if this was a Blackhole toolkit on the backend? It SOUNDS like it from the description, but nobody seems to be actually saying so.
I wrote this up at http://www.zdnet.com/yahoo-serves-malicious-ads-7000024775/

Yahoo gave me a statement:

"At Yahoo, we take the safety and privacy of our users seriously. From December 31 to January 3 on our European sites, we served some advertisements that did not meet our editorial guidelines -- specifically, they spread malware. On January 3, we removed these advertisements from our European sites. Users in North America, Asia Pacific and Latin America were not served these advertisements and were not affected. Additionally, users using Macs and mobile devices were not affected.

We will continue to monitor and block any advertisements being used for this activity. We will post more information for our users shortly."

Diary Archives