Yahoo ads compromised by hackers for a week in record attack
Malware was spread through Yahoo's ads for a week, according to a senior security researcher at Malwarebytes, the security firm that first learned of the attack. More than 100 million people visit Yahoo's new sites per month.
Yahoo said it has curbed the attack that began on July 28.
“As soon as we learned of this issue, our team took action to block this advertiser from our network,” a Yahoo spokesperson said in a statement.
Jérôme Segura, a senior security researcher at Malwarebytes, said hackers used a bug in Adobe Flash, which streams audio and video.
“This [is] one of the largest malvertising attacks we have seen recently,” Segura said.
Yahoo claimed the scale of the attack was initially blown out of proportion.
“We take all potential security threats seriously,” the company's spokesperson said, according to The Hill. “With that said, the scale of the attack was grossly misrepresented in initial media reports and we continue to investigate the issue.”
Yahoo's contemporary, Google, fell victim to a large malvertising attack earlier this year. Hackers were found to be using Google's advertising service, DoubleClick, to launch attacks on visitors from other websites. Google responded by announcing it would encrypt all DoubleClick ads.
Yahoo also said in April that it would encrypt its ad network connections. The company said it has already installed end-to-end encryption for its Yahoo Mail.
Online advertisers have received encouragement from top US senators to solidify their networks in order to protect online consumers from malvertising attacks.
“We must understand the security and privacy hazards consumers face in online advertising and make sure standards and rules exist to ensure consumers do not have to be more tech savvy than cyber criminals to stay safe online,” said Sen. John McCain, who, with then-Sen. Carl Levin, released a report in 2014 that urged online advertisers to take action.
Malvertising efforts reached more than 2 million users in June, a record according to security firm Invincea.
The Adobe Flash-enabled attack, meanwhile, has led to a renewed call for the service to be disabled on personal computers short of Flash's outright retirement.