This was revealed in a blog post by Fox-IT, an Internet security firm.
According to the blog, clients visiting yahoo.com received advertisements served by ads.yahoo.com. Some of the advertisements are malicious. Those malicious advertisements are iframes hosted on the following domains:
- blistartoncom.org (192.133.137.59), registered on 1 Jan 2014
- slaptonitkons.net (192.133.137.100), registered on 1 Jan 2014
- original-filmsonline.com (192.133.137.63)
- funnyboobsonline.org (192.133.137.247)
- yagerass.org (192.133.137.56)
Upon visiting the malicious advertisements users get redirected to a “Magnitude” exploit kit via a HTTP redirect to seemingly random subdomains of:
- boxsdiscussing.net
- crisisreverse.net
- limitingbeyond.net
- and others
All those domains are served from a single IP address: 193.169.245.78. This IP-address appears to be hosted in the Netherlands.
This exploit kit exploits vulnerabilities in Java and installs a host of different malware including:
- ZeuS
- Andromeda
- Dorkbot/Ngrbot
- Advertisement clicking malware
- Tinba/Zusy
- Necurs
The investigation showed that the earliest signs of infection were at December 30, 2013. Other reports suggest it might have started even earlier.
Fox IT estimated that, based on sample traffic, the number of visits to the site carrying the malicious code was visited around 300,000 times per hour. Given a typical infection rate of 9% this would result in around 27,000 infections every hour.
Source: Fox IT