on 22 August 18
Yahoo's top websites fall victim to a malvertising attack within the company's ad network, although Yahoo will not reveal the number of people who may have been affected. Hackers exploited Adobe Flash software to conduct the attack.
For 7 days hackers went undetected as they used Yahooâs ad network to send malicious bits of code to computers that visit Yahooâs heavily trafficked websites.
Malware was spread through Yahoo's ads for a week, according to a senior security researcher at Malwarebytes, the security firm that first learned of the attack. The issue is that there are more than 100 million people visit Yahoo's new sites per month.
At the moment, Yahoo said it has curbed the attack that began on July 28, 2015.
A Yahoo spokesperson said in a statement, As soon as we learned of this issue, our team took action to block this advertiser from our network.
JÃ©rÃ´me Segura, a senior security researcher at Malwarebytes, said hackers used a bug in Adobe Flash, which streams audio and video. According to him, this is one of the largest malvertising attacks we have seen recently, Segura said.
However, Yahoo claimed the scale of the attack was initially blown out of proportion.
We take all potential security threats seriously, the company's spokesperson said. With that said, the scale of the attack was grossly misrepresented in initial media reports and we continue to investigate the issue.
How it happened?
The hack occurred somehow like this, A group of hackers bought ads across the internet giantâs sports, news and finance sites. When a computer visited a Yahoo site, it downloaded the malware code.
From there, the malware hunted an out-of-date version of Adobe Flash and commandeer the computer, holding the site for ransom till the hackers get paid or discreetly direct its browser to sites that paid the hackers for traffic. And if you are attacking sites such as Yahoo with hundreds of millions of visitors on the site everyday, a hacker may collect a rather massive fortune by ransom.
Problems with high graphics programme
There has been growing emphasis lately on the issue with using a heavily used graphics programme such as Adobe Flash which shares a great deal of security problems from the past that have frustrate developers at Silicon Valley Companies.
Advertising networks is a liability
There is a hacking trend growing whereby attacks on advertising networks are on the rise. How it works is that hackers would use the advertising networks themselves that are built for targeting specific demographics of Internet users to find vulnerable machines.
In a related incident, Yahoo's fellow search engine competitor, Google, fell victim to a similar large malvertising attack earlier this year. Hackers were found to be using Google's advertising service, DoubleClick, to launch attacks on visitors from other websites. Google responded by announcing it would encrypt all DoubleClick ads.
Yahoo also said in April that it would encrypt its ad network connections. The company said it has already installed end-to-end encryption for its Yahoo Mail.
Malvertising hacks have reached more than 2 million users in June this year, a startling record according to security firm Invincea.
A solution to the hacks:
The Adobe Flash-enabled attack on Yahoo has forced the company to lead a renewed call for the service to be disabled on personal computers short of Flash's outright retirement.
Also, online advertisers have received encouragement from top US senators to solidify their networks in order to protect online consumers from malvertising attacks.
As stated by Senator John McCain, who released a report in 2014 that urged online advertisers to take action, We must understand the security and privacy hazards consumers face in online advertising and make sure standards and rules exist to ensure consumers do not have to be more tech savvy than cyber criminals to stay safe online.
Parting words for Adobe Flash users:
To conclude, users are highly advised to update their flash Software so that their computers would no longer be vulnerable and this is because the majority of attacks we see are exploiting software installations that are not up to date on the latest security updates.
In case it wasnât clear yet, Adobe Flash isnât exactly the safest tool for delivering Internet content. Hackers are already more than aware of the software security issues and are happy to exploit them for various malicious purposes. Thatâs exactly what happened recently when hackers used Flash to infect Yahoo websites with malware in what has been described as one of the largest malvertising attacks seen in the last few years.