|
According to a blog post from fox-it.com, they found ads.yahoo.com serving malicious ads from Yahoo's home page as early as December 30th. The malicious traffic appeared to come from the following subnets 192.133.137.0/24 and 193.169.245.0/24. Most infections seem to be in Europe. Yahoo appears to be aware and addressing the issue, according to the blog. Has anyone else seen this? -- Tom Webb |
Tom 59 Posts ISC Handler Jan 4th 2014 |
| Thread locked Subscribe |
Jan 4th 2014 8 years ago |
|
Both registrants are Russian:
One box is in the Netherlands, but the owner is in Kiev: inetnum: 193.169.244.0 - 193.169.245.255 descr: FOP Zemlyaniy Dmitro Leonidovich country: NL organisation: ORG-FZDL2-RIPE org-name: FOP Zemlyaniy Dmitro Leonidovich org-type: LIR address: FOP Zemlyaniy Dmitro Leonidovich address: Zemlyaniy Dmitro address: Onore de Balzaka str. 86, app.29 address: 02232 address: Kyiv address: UKRAINE The second is likely in California, but run by a Russian: NetRange: 192.133.136.0 - 192.133.143.255 OrgName: Serverel OrgId: ST-1 Address: 970 Corte Madera ave City: Sunnyvale StateProv: CA PostalCode: 94085 Country: US OrgTechHandle: KUSHN-ARIN OrgTechName: Kushnireuski, Andrei OrgTechPhone: +1-877-246-7863 OrgTechEmail: noc@serverel.com I suspect there is a connection.  |
Moriah 133 Posts |
| Quote |
Jan 4th 2014 8 years ago |
Quoting Moriah:Both registrants are Russian: Kyiv is the capital of _Ukraine_. (btw. In Russian it's spelled "Kiev".) Quoting Moriah: https://en.wikipedia.org/wiki/Kushnir: "Kushnir [...] is a Ukrainian and Jewish surname." And https://en.wikipedia.org/wiki/Ski_%28disambiguation%29: "-ski, a common ending of predominantly Polish surnames of Slavonic origin" pryvit (Ukrainian) pozdrowienie (Polish) regards (English) |
Moriah 1 Posts |
| Quote |
Jan 5th 2014 8 years ago |
|
Does anyone know if this was a Blackhole toolkit on the backend? It SOUNDS like it from the description, but nobody seems to be actually saying so.
|
packetdude 22 Posts |
| Quote |
Jan 9th 2014 8 years ago |
|
Does anyone know if this was a Blackhole toolkit on the backend? It SOUNDS like it from the description, but nobody seems to be actually saying so.
|
packetdude 22 Posts |
| Quote |
Jan 9th 2014 8 years ago |
|
I wrote this up at http://www.zdnet.com/yahoo-serves-malicious-ads-7000024775/
Yahoo gave me a statement: "At Yahoo, we take the safety and privacy of our users seriously. From December 31 to January 3 on our European sites, we served some advertisements that did not meet our editorial guidelines -- specifically, they spread malware. On January 3, we removed these advertisements from our European sites. Users in North America, Asia Pacific and Latin America were not served these advertisements and were not affected. Additionally, users using Macs and mobile devices were not affected. We will continue to monitor and block any advertisements being used for this activity. We will post more information for our users shortly." |
Larry Seltzer 26 Posts |
| Quote |
Jan 9th 2014 8 years ago |
Sign Up for Free or Log In to start participating in the conversation!
https://www.sans.edu
