Yahoo Malvertising Attack Points To More Flash Problems - InformationWeek

InformationWeek is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

IoT
IoT
Software // Enterprise Applications
Commentary
8/5/2015
03:05 PM
Larry Loeb
Larry Loeb
Commentary
50%
50%

Yahoo Malvertising Attack Points To More Flash Problems

For nearly a week, Yahoo sustained a malvertising attack that seems to point to further security concerns with Adobe's Flash platform.

9 Reasons Flash Must Die, And Soon
9 Reasons Flash Must Die, And Soon
(Click image for larger view and slideshow.)

For nearly a week, Yahoo and its numerous websites sites were a transport mechanism for a malvertising attack. In addition, the attackers seemed to have targeted a vulnerability in Adobe Flash, creating even more problems for a software platform that is considered out-of-date and subject to too many security concerns.

The attack against Yahoo started on July 28 and was finally shutdown on Aug. 3, according to the website Malwarebytes.

Since the Yahoo home page has an estimated seven billion visits per month, this is one of the biggest malvertising campaigns ever seen. The affected sports, news, and finance domains usually have millions of visits per month.

Yahoo has not released the actual number of visitors that could have been affected by the attack.

Malvertising is very stealthy because malicious ads do not require any type of user interaction in order to execute their malicious payload. The mere action of browsing to a website that contains the infected advertising is enough to start the infection chain process.

The ads that were involved compromised Microsoft Azure cloud addresses in order to direct clicks to the Angler exploit kit. Microsoft has since shut down the addresses used in the malvertising.

Microsoft spokesperson said: "As soon as we were alerted to the malicious site we took immediate steps to shut it down. When we identify misuse of the service that violates the Azure Acceptable Use Policy, such as the distribution of malware, we quickly take action. To report suspected security issues or abuse of Microsoft Online Services, visit https://cert.microsoft.com/."  

Adobe Flash vulnerabilities were also deeply involved in the infection process. When ads were viewed by a Microsoft Windows user, the exploit checked for an outdated version of Flash in the target computer and took advantage of it with the Angler software.

(Image: Nicolas McComber/iStockphoto)

(Image: Nicolas McComber/iStockphoto)

Once infected, the computer could be held for ransom or directed to a website that paid the attackers for traffic.

The official response of Yahoo to all of this -- as reported by Malwarebytes -- is: "Yahoo is committed to ensuring that both our advertisers and users have a safe and reliable experience. As soon as we learned of this issue, our team took action and will continue to investigate this issue."

[Read more about the issues with Flash.]

Yahoo officials added: "Unfortunately, disruptive ad behavior affects the entire tech industry. Yahoo has a long history of engagement on this issue and is committed to working with our peers to create a secure advertising experience. We'll continue to ensure the quality and safety of our ads through our automated testing and through the SafeFrame working group, which seeks to protect consumers and publishers from the potential security risks inherent in the online ad ecosystem."

While basically admitting in this statement that they fell down in the vetting process and got hosed, Yahoo completely ignores what most users' response to this incident will be. And that is installing ad-blocking software for their browsers. Yahoo sells ads, and it is understandable that they don't want to think about that kind of response.

But it may be almost impossible for any hosting site to vet all ads thoroughly, given how ad targeting and just-in-time sales of ads are burgeoning. The user is the one that ends up being responsible for his or her machine's security stance.

[Editor's note: This article was updated to include a comment from a Microsoft spokesperson.]

Larry Loeb has written for many of the last century's major "dead tree" computer magazines, having been, among other things, a consulting editor for BYTE magazine and senior editor for the launch of WebWeek. He has written a book on the Secure Electronic Transaction Internet ... View Full Bio
We welcome your comments on this topic on our social media channels, or [contact us directly] with questions about the site.
Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
kstaron
50%
50%
kstaron,
User Rank: Ninja
8/19/2015 | 2:10:36 PM
Re: The ad industry has a problem
I agree, I don't know why adblockers aren't already more commonplace. I guess each user has to get fed up enough to DO something about it, whether it's cause is malware or just slow load times.  I wonder how advertisers will respond when more people have adblockers. What will their next strategy be?
larryloeb
50%
50%
larryloeb,
User Rank: Author
8/6/2015 | 6:55:34 AM
Re: The ad industry has a problem
Well, you suggest the course of action that I was referring to.

If the user has updated Flash, this exploit doesn't work. Why havent they?

They dont either know about updating or they are too lazy to do it.

 

Lots of folks ask me support questions, like everyone who reads our stuff.

It's amazing to me how simple, basic things don't get done by the people asking them.

Some still think that they dont need any steeeenking upgrades. Just buy the computer and use it.

 

The auto-upgrade in Win10 may be the best thing Microsoft has ever done for the world.
Gary_EL
50%
50%
Gary_EL,
User Rank: Ninja
8/5/2015 | 11:09:35 PM
Re: The ad industry has a problem
No, not "Lazy and/or uninformed users."

Not every user has to be a software or security expert. If everyone had to be, the digital revolution would have never happened, because most people are too busy as it is being butchers, bakers and candlestick makers. Taking it back a step further, not every programmer has to know anything about electrical engineering, let alone physics, upon which all of the electronic world is built.

Nope, all the individual user can do is to install an antivirus programs and keep it up to date, along with our addons. We need to back up our files, and be ready to reinstall the Operating System in the event we get hit anyway. Am I missing anything?
larryloeb
0%
100%
larryloeb,
User Rank: Author
8/5/2015 | 7:27:55 PM
Re: The ad industry has a problem
Lazy and/or uninformed users.

When these attacks become more prevalent; adblockers will rule.
Thomas Claburn
50%
50%
Thomas Claburn,
User Rank: Author
8/5/2015 | 7:01:23 PM
The ad industry has a problem
When online ads represent a security risk and slow page load times and compromise user privacy, it's hard to understand why they aren't blocked more often.
News
COVID-19: Using Data to Map Infections, Hospital Beds, and More
Jessica Davis, Senior Editor, Enterprise Apps,  3/25/2020
Commentary
Enterprise Guide to Robotic Process Automation
Cathleen Gagne, Managing Editor, InformationWeek,  3/23/2020
Slideshows
How Startup Innovation Can Help Enterprises Face COVID-19
Joao-Pierre S. Ruth, Senior Writer,  3/24/2020
White Papers
Register for InformationWeek Newsletters
Video
Current Issue
IT Careers: Tech Drives Constant Change
Advances in information technology and management concepts mean that IT professionals must update their skill sets, even their career goals on an almost yearly basis. In this IT Trend Report, experts share advice on how IT pros can keep up with this every-changing job market. Read it today!
Slideshows
Flash Poll