Yahoo played the unwitting host to a week’s worth of malware-laden scams in what may be the largest attack of its kind in months, security firm Malwarebytes claimed.
Researchers said the attackers infiltrated the web portal’s advertising network and planted traps on its homepage — along with its sports, finance, celebrity and games sites. When visitors came by the sites, the ads discreetly downloaded malware files to the visitor’s computer, either directly from the webpage or from a harmful site to which the ads diverted visitors.
The batch of parasitic ads first appeared on the site last Tuesday and may have affected millions of Yahoo users in the ensuing week, according to the firm, though only Yahoo can gauge the exact count.
In a statement, Yahoo said that it had successfully shut down the offending advertisers after the firm alerted it to the problem. The company also charged the firm with exaggerating the extent of the threat.
“We take all potential security threats seriously,” a Yahoo spokesperson said in an emailed statement (see below for the full text). “With that said, the scale of the attack was grossly misrepresented in initial media reports and we continue to investigate the issue.”
Yahoo did not respond to Mashable’s requests to explain the accusation or reveal the number of visitors hit.
The scam appeared to be the work of the same cybercriminal group that has orchestrated a number of similar large-scale attacks, according to Malwarebytes’ senior researcher Jérôme Segura, who authored the company’s blog post on the attack.
The campaign is the latest in a rash of attacks that use ad networks — the platforms websites use to peddle millions of page views each day to interested advertisers — to buy up tracts of page space and camouflage downloadable malware behind the veneer of an advertisement. They then burrow the malware into their favorite pressure point: out-of-date versions of Adobe Flash.
Once tainted with snippets of this code, the ubiquitous graphics plug-in, notoriously rife with security holes unless fully updated, becomes a command post from which hackers stealthily channel the host browser’s traffic to websites that pay them for the views or even hold programs hostage until their weary owner coughs up a payment — an extortionary device known as ransomware.
One need not even click on the ad in question to fall pray; Rather, most spring to life upon the visitor’s arrival, Segura told Mashable.
These tactics — along with a toolbox of other advertising cons — have become a scourge of the free consumer internet, where ads are the lifeblood of millions of websites. Fraudulent ads rob the industry of an estimated $11 billion each year in wasted spending.
With an estimated 6.9 billion visitors to its homepage each month, Yahoo is the fifth most popular destination on the web, according to its Alexa Ranking. The infected auxilary sites, which are among the company’s most trafficked, similarly rack up millions of visitors each month.
While the behemoth size of the target made it one of the most insidious attacks in a long while, chasing game this big is not unprecedented for this class of cybercriminal, said David Sendroff, founder and CEO of ad fraud detection firm Forensiq. Like any web-based outfit, fraudsters are in the business of trawling for clicks, and they tend to go where supply is most plentiful.
“Bad actors look for outlets with the widest distribution and large networks are a primary target,” Sendroff said in an email.
In fact, bigger sites might actually have accordingly bigger targets on their backs. The sheer volume of transactions that whirl through a digital ad marketplace on any given day make policing them close to impossible. Even if one were to inspect each one, ads can easily disguise as legitimate until they are through the gate — and the majority do.
“Yahoo is dealing with an advertiser it’s dealt with for a number of years, that it trusts,” Segura says, laying out one hypothetical scenario. “And all of a sudden the advertiser pushes a malignant ad. How do your react to this? Do you ban the advertiser you’ve been doing business with for a number of years? It can be quite tricky.”
Segura said prize quarry for these hackers include news and media sites and porn sites — spots where visitors are constantly coming and going.
At the end of the day, Segura said, the foundation of a full-stop solution will be the personal security walls of each web surfer. (He of course works for a malware-protection software maker, so he does stand to benefit from his prescription.)
“If you want to take a stab at this issue, you’ve got to start there,” Segura said. “You’ve got to make it more difficult for malware to compromise machines with these sort of attacks.”
Preventive steps include making sure that you have a malware-resistant firewall in place and that your Flash plug-in is the most recent version available.
Other personal protections, however, can sometimes cause advertisers even more headache. As ad blocking software grows more popular, more Internet users are opting to cut off the spigot to advertising altogether, a trend that could pose a major threat to publishers’ revenue if it continues. Incidents like these only reinforce the desire to cut out ads.