Yahoo's ads spread malware via hackers, vulnerable Flash

Yahoo was recently hit by hackers who used its advertisements to deliver malware to an unspecified number of visitors on several of its own websites, it has been revealed. The malware campaign carried on for a full 7-day week before Yahoo, having been alerted by the researchers who discovered it, took it down. Yahoo says it is investigating the matter, and though it has not revealed how many people were affected, it said through a spokesperson that the initial reports "grossly misrepresented" the scale of the attack.

The "malvertising" campaign was discovered by Malwarebytes, which detailed its discovery yesterday. The campaign began on July 28 and carried on for seven days before Yahoo, after being alerted, took it down. The malware campaign affected several of Yahoo's websites, including News, Finance, and Sports, three of its biggest segments.

According to the New York Times, the malicious ads downloaded malware onto Windows machines, ultimately affecting those running an out of date and vulnerable version of Adobe Flash. This further highlights the potential issues that come with Flash, which was recently in the news in yet another negative light over serious security issues. Many have called for Adobe to retire Flash.

Yahoo said, in part, that:

Unfortunately, disruptive ad behavior affects the entire tech industry. Yahoo has a long history of engagement on this issue and is committed to working with our peers to create a secure advertising experience. We'll continue to ensure the quality and safety of our ads through our automated testing and through the SafeFrame working group, which seeks to protect consumers and publishers from the potential security risks inherent in the online ad ecosystem.

SOURCE: The New York Times