Over the past few days, Yahoo has been exposing visitors to fraudware banner ads and also ads that try to trick them into installing malware. The ads are displayed across numerous web portal sections, including Yahoo Mail, Yahoo Groups and Yahoo Astrology.
Some of the ads pitch women’s deodorant, but behind the scenes, they contact servers that have been used by previous rogue ads targeting high-traffic websites. Typically, the ads produce a pop up that looks strikingly similar to official Windows dialog pop-ups that urge the end user to download software to fix problems. Expedia, Rhapsody, MySpace, Excite, Blick, and CNN.com have all served up similar malicious ads in the past.
Attackers who inject their banners onto reputable sites usually take advantage of the highly decentralized way that online advertisements are sold. It’s not unusual for there to be a succession of affiliates, making it possible for an attacker to pose as an authorized agent of a name-brand product or service. In this case, Yahoo has gotten deceived into running ads that point to adtds2.promoplexer.com, which has been implicated in previous rogue banner attacks. Even if you don’t get redirected, the malvertizement still let’s the bad guys know that it is on display by sending info to adtds2.promoplexer.com/statsa.php?campaign=yahoo and adsraise.com/mbuyers/statistics.html
Among other malicious URL redirections there are:
eur.a1.yimg.com/java.europe.yimg.com/eu/any/yahoonew300×250.swf
ope.yahoo.com/eu/any/yahoonew728×90.swf
track.trackads.net/statsa.php?campaign=yahoo
Other sites that use Yahoo advertising (like Ebay) could potentially expose visitors to the malvertizement and fraudware sites.
So far emails were sent to three different Yahoo PR reps but until now there’s no indication anyone at the company is even aware of the problem.
An extremely efficient and simple way to avoid malware would be using the NoScript extension for Firefox. Even if you’ve whitelisted Yahoo, it will block JavaScript and Adobe Flash being sent from the attacker’s website.
source : cyberinsecure.com