Large amounts of Yahoo users are a victim of the largest “malvertising” attack. A malware company bought ads on Yahoo websites which installed malware with ad fraud and ransomware software onto a user’s computer without any user interaction!
This attack works with a vulnerability in Adobe Flash that automatically installs the malware into the users computer. All the user has to do is have the malware infected ads load in their web browser and the attack starts automatically.
Yahoo quickly took down the ads from the malware company as soon as yahoo was notified from Malwarebytes, which said:
one of the largest malvertising attacks we have seen recently.
Malwarebytes also said:
Unfortunately, disruptive ad behaviour affects the entire tech industry…
…We’ll continue to ensure the quality and safety of our ads through our automated testing and through the SafeFrame working group, which seeks to protect consumers and publishers from the potential security risks inherent in the online ad ecosystem.
This attack highlights the weakness of ads networks that serve multiple sites that allow anyone to buy ad slots without further review of what’s being served. This is not the first time Yahoo as been a target as last year about 2 Million Yahoo users received malware that turned their PCs into bitcoin miners using Java! Also that year another company, Syrian Electronic Army which couldn’t stop the attack and made it look like major sites which included, Independent and Telegraph newspapers were hacked.
the Apple blogger John Gruber has argued that “the sooner we completely eliminate the use of Flash, the better. Just get rid of it.”