For nearly a week, Yahoo and its numerous websites sites were a transport mechanism for a malvertising attack. In addition, the attackers seemed to have targeted a vulnerability in Adobe Flash, creating even more problems for a software platform that is considered out-of-date and subject to too many security concerns.
The attack against Yahoo started on July 28 and was finally shutdown on Aug. 3, according to the website Malwarebytes.
Since the Yahoo home page has an estimated seven billion visits per month, this is one of the biggest malvertising campaigns ever seen. The affected sports, news, and finance domains usually have millions of visits per month.
Yahoo has not released the actual number of visitors that could have been affected by the attack.
Malvertising is very stealthy because malicious ads do not require any type of user interaction in order to execute their malicious payload. The mere action of browsing to a website that contains the infected advertising is enough to start the infection chain process.
The ads that were involved compromised Microsoft Azure cloud addresses in order to direct clicks to the Angler exploit kit. Microsoft has since shut down the addresses used in the malvertising.
Microsoft spokesperson said: "As soon as we were alerted to the malicious site we took immediate steps to shut it down. When we identify misuse of the service that violates the Azure Acceptable Use Policy, such as the distribution of malware, we quickly take action. To report suspected security issues or abuse of Microsoft Online Services, visit https://cert.microsoft.com/."
Adobe Flash vulnerabilities were also deeply involved in the infection process. When ads were viewed by a Microsoft Windows user, the exploit checked for an outdated version of Flash in the target computer and took advantage of it with the Angler software.
Once infected, the computer could be held for ransom or directed to a website that paid the attackers for traffic.
The official response of Yahoo to all of this -- as reported by Malwarebytes -- is: "Yahoo is committed to ensuring that both our advertisers and users have a safe and reliable experience. As soon as we learned of this issue, our team took action and will continue to investigate this issue."
[Read more about the issues with Flash.]
Yahoo officials added: "Unfortunately, disruptive ad behavior affects the entire tech industry. Yahoo has a long history of engagement on this issue and is committed to working with our peers to create a secure advertising experience. We'll continue to ensure the quality and safety of our ads through our automated testing and through the SafeFrame working group, which seeks to protect consumers and publishers from the potential security risks inherent in the online ad ecosystem."
While basically admitting in this statement that they fell down in the vetting process and got hosed, Yahoo completely ignores what most users' response to this incident will be. And that is installing ad-blocking software for their browsers. Yahoo sells ads, and it is understandable that they don't want to think about that kind of response.
But it may be almost impossible for any hosting site to vet all ads thoroughly, given how ad targeting and just-in-time sales of ads are burgeoning. The user is the one that ends up being responsible for his or her machine's security stance.
[Editor's note: This article was updated to include a comment from a Microsoft spokesperson.]