Yahoo’s ads spread malware via hackers, vulnerable Flash

The malware campaign was launched on July 28, however, there is no word on how many visitors could have been infected by this malware so far.

Malwarebytes security researchers say Yahoo is victim to the same group that has been involved in a number of large-scale campaigns that exploit vulnerabilities in Adobe Flash.

According to a report from Jérôme Segura, senior security researcher at Malwarebytes, Yahoo’s websites have “an estimated 6.9 billion visits per month, making this one of the largest malvertising attacks we have seen recently”.

From there, the malware hunted for an out-of-date version of Adobe Flash, which it could use to commandeer the computer – either holding it for ransom until the hackers were paid off or discreetly directing its browser to websites that paid the hackers for traffic.

Malvertising can be a hard threat to confront because malicious ads do not require any type of user interaction to execute their payloads. Last year, an aggressive campaign was discovered that affected visitors across Yahoo and AOL’s sites.

Other malware typically loaded by Angler includes an ad-fraud tool called Bedep, Segura said. Simply browsing a compromised website was enough to start the infection chain and spread malware and ransomware.

“The complexity of the online advertising economy makes it easy for malicious actors to abuse the system and get away with it”, Segura wrote. As soon as we learned of this issue, our team took action and will continue to investigate this issue.

“Unfortunately, disruptive ad behaviour affects the entire tech industry”.

Malwarebytes has since gotten in touch with Yahoo where the issue has since been promptly fixed, and with Yahoo issuing a statement that reads, “Yahoo is committed to ensuring that both our advertisers and users have a safe and reliable experience”.

“We’ll continue to ensure the quality and safety of our ads through our automated testing and through the SafeFrame working group, which seeks to protect consumers and publishers from the potential security risks inherent in the online ad ecosystem”.

Grayson Milbourne, security intelligence director at cybersecurity firm Webroot, said: “This exploit raises serious questions about the size of this attack and Yahoo’s security processes”.

He also said, that in addition to being prudent “when obtaining and installing software”, users should use the Chrome browser as well as an ad-removal extension.

If a user clicks on one of the affected ads, they would typically be redirected through a number of other sites before landing on a page hosting the Angler Exploit Kit which would attempt to silently download malware onto the victim’s computer.