cnni yahoo malware_00001923.jpg
Yahoo malware problems
00:28 - Source: CNN

Story highlights

NEW: Ads began to appear on December 31 and were removed Friday, Yahoo says

Yahoo's servers released a kit that exploited Java and installed malware

An IT security firm estimates tens of thousands of users were affected per hour

CNN  — 

A malware attack hit Yahoo’s advertising server over the last few days, affecting thousands of users in various countries, an Internet security company said.

In a blog post, Fox-IT said Yahoo’s servers were releasing an “exploit kit” that exploited vulnerabilities in Java and installed malware.

“Clients visiting received advertisements served by,” the Internet security company said. “Some of the advertisements are malicious.”

Fox-IT, which is based in the Netherlands, focuses on cyber defense. It estimates that tens of thousands of users were affected per hour.

“Given a typical infection rate of 9%, this would result in around 27,000 infections every hour,” the company said. “Based on the same sample, the countries most affected by the exploit kit are Romania, Great Britain and France. At this time it’s unclear why those countries are most affected, it is likely due to the configuration of the malicious advertisements on Yahoo.”

If a computer infected with malware is connected to a network, attackers can often access other connected systems and servers.

Yahoo said it is aware of the attack and is monitoring and blocking such advertisements.

“At Yahoo, we take the safety and privacy of our users seriously,” it said in a prepared statement Monday. “From December 31 to January 3 on our European sites, we served some advertisements that did not meet our editorial guidelines – specifically, they spread malware. On January 3, we removed these advertisements from our European sites.”

The attacks did not affect North America, Latin America and the Asia Pacific region, Yahoo said.

“Additionally, users using Macs and mobile devices were not affected,” it added.

Fox-IT said it is unclear who’s behind the attack, but it appears to be “financially motivated.” It did not provide details.

Top tech fails of 2013