Threat Level: green Handler on Duty: Pedro Bueno

SANS ISC InfoSec Community Forums


Sign Up for Free!   Forgot Password?
Log In or Sign Up for Free!
Malicious Ads from Yahoo
Quoting Diary:

According to a blog post from fox-it.com, they found ads.yahoo.com serving malicious ads from Yahoo's home page as early as December 30th. The malicious traffic appeared to come from the following subnets 192.133.137.0/24 and 193.169.245.0/24. Most infections seem to be in Europe.   Yahoo appears to be aware and addressing the issue, according to the blog.

Has anyone else seen this?

--

Tom Webb

Tom W

11 Posts
ISC Handler
Both registrants are Russian:

One box is in the Netherlands, but the owner is in Kiev:

inetnum: 193.169.244.0 - 193.169.245.255
descr: FOP Zemlyaniy Dmitro Leonidovich
country: NL
organisation: ORG-FZDL2-RIPE
org-name: FOP Zemlyaniy Dmitro Leonidovich
org-type: LIR
address: FOP Zemlyaniy Dmitro Leonidovich
address: Zemlyaniy Dmitro
address: Onore de Balzaka str. 86, app.29
address: 02232
address: Kyiv
address: UKRAINE

The second is likely in California, but run by a Russian:

NetRange: 192.133.136.0 - 192.133.143.255
OrgName: Serverel
OrgId: ST-1
Address: 970 Corte Madera ave
City: Sunnyvale
StateProv: CA
PostalCode: 94085
Country: US
OrgTechHandle: KUSHN-ARIN
OrgTechName: Kushnireuski, Andrei
OrgTechPhone: +1-877-246-7863
OrgTechEmail: noc@serverel.com

I suspect there is a connection. ;-)
Moriah

107 Posts
Quoting Moriah:Both registrants are Russian:

[...]
address: Kyiv
address: UKRAINE


Kyiv is the capital of _Ukraine_.
(btw. In Russian it's spelled "Kiev".)

Quoting Moriah:
Kushnireuski, Andrei


https://en.wikipedia.org/wiki/Kushnir:
"Kushnir [...] is a Ukrainian and Jewish surname."
And
https://en.wikipedia.org/wiki/Ski_%28disambiguation%29:
"-ski, a common ending of predominantly Polish surnames of Slavonic origin"

pryvit (Ukrainian)
pozdrowienie (Polish)
regards (English)
Anonymous

1 Posts
Does anyone know if this was a Blackhole toolkit on the backend? It SOUNDS like it from the description, but nobody seems to be actually saying so.
packetdude

10 Posts
Does anyone know if this was a Blackhole toolkit on the backend? It SOUNDS like it from the description, but nobody seems to be actually saying so.
packetdude

10 Posts
I wrote this up at http://www.zdnet.com/yahoo-serves-malicious-ads-7000024775/

Yahoo gave me a statement:

"At Yahoo, we take the safety and privacy of our users seriously. From December 31 to January 3 on our European sites, we served some advertisements that did not meet our editorial guidelines -- specifically, they spread malware. On January 3, we removed these advertisements from our European sites. Users in North America, Asia Pacific and Latin America were not served these advertisements and were not affected. Additionally, users using Macs and mobile devices were not affected.

We will continue to monitor and block any advertisements being used for this activity. We will post more information for our users shortly."
Larry Seltzer

13 Posts

Sign Up for Free or Log In to start participating in the conversation!