Earlier this year, a number of users reported being the victims of malware infections after viewing advertisements on Yahoo websites. Investigators later discovered that the search engine company’s servers that specifically handle advertising were hit by a malware attack and were spreading the infection to users.
Security experts determined that the attack resulted in the infection of approximately 27,000 workstations and mobile devices every hour. As 300,000 users visited the site and viewed malware-laced ads every hour, and roughly 9 percent of hardware was infected after connecting with the pages, this event represented a considerably widespread attack footprint.
The malware strain that affected Yahoo’s server was found to be an exploit kit designed to leverage Java security vulnerabilities, which infected users’ systems worldwide.
“Based on the same sample, the countries most affected by the exploit kit are Romania, Great Britain and France,” according to the security company investigating the occurrence. “At this time it’s unclear why those countries are most affected, it is likely due to the configuration of the malicious advertisements on Yahoo.”
Currently, experts believe the attack may have been financially motivated, but are looking to investigate further to substantiate these suspicions. However, investigators did notice that Mac and mobile device users were not affected by the malware strain. In addition, the attack did not reach individuals in North America, Latin America or Asia Pacific.
Yahoo officials said they were aware of the attack and the company is working to monitor and block malicious ads present on its servers.
Companies can seek to better protect themselves from these type of attacks by utilizing monitoring technology to govern operations on corporate workstations and network resources. Such systems provide better oversight of computing systems and can alert operators of suspicious network activity. Administrators should also seek to deploy server restore software like Deep Freeze Server, which can prevent the loss of critical information by returning attacked servers to pre-infection settings with a reboot.