Cyber Incident Victim: Yahoo Malaysia
Date:
Dec 2013
Location:
Netherlands
Summary
A compromise of Yahoo's advertising network led to malware distribution targeting visitors through malicious ads exploiting Java vulnerabilities, affecting an estimated 300,000 users hourly with approximately 27,000 infections. The attack, believed to be financially motivated, delivered exploit kits to install malware on vulnerable systems. The company removed the malicious ads and implemented monitoring measures, confirming the incident primarily impacted European PC users while excluding those in North America, Asia Pacific, Latin America, and users of Mac or mobile devices.
| CIA Posture | Motives | Tactics, Techniques & Procedures |
|---|---|---|
| Available to members | 1 motive | 1 technique |
| Threat Actors | Type | Location |
|---|---|---|
| 0 actors | Available to members | Available to members |
Description
In late December 2013 and early January 2014, Yahoo's advertising infrastructure suffered a security breach affecting visitors to its European platforms. Netherlands-based security firm Fox IT identified that Yahoo's advertising network (ads.yahoo.com) had been compromised, with malicious activity observed as early as December 30. The attackers leveraged Yahoo's ad servers to distribute an exploit kit targeting vulnerabilities in Java software on visitors' computers. This exploit kit systematically scanned for weaknesses to install multiple malware components, though Fox IT did not identify the specific malware variants or perpetrators. The firm assessed the campaign as financially motivated, potentially involving the sale of compromised machines to third parties. At its peak, Fox IT estimated the malicious ads were delivered to approximately 300,000 visitors per hour, with a 9% infection rate translating to roughly 27,000 compromised devices hourly. The attack exclusively targeted Windows-based personal computers through the Java vulnerability vector.
Yahoo confirmed awareness of the incident on January 5, 2014, stating they had removed the malicious advertisement and implemented monitoring to block similar activities. The company clarified through subsequent communications with The Washington Post that the attack specifically targeted European users, with no impact to visitors from North America, Asia Pacific, or Latin America. Yahoo further noted that users accessing its services via Mac computers or mobile devices remained unaffected throughout the incident. No details were provided regarding the duration of exposure prior to detection or specific remediation steps beyond ad removal. Fox IT's disclosure did not include information about data theft from affected users or secondary impacts stemming from the malware infections. The incident highlighted vulnerabilities in digital advertising networks as attack vectors, though Yahoo did not disclose how the malicious ads bypassed its screening processes.