Yahoo is one of the participants of Taiwan's Singles' Day. (Photo : Reuters)
A security firm has reported that Yahoo's visitors could have been the victims of cybercriminals' malware attacks on their computers during the past week. The hackers broke into the company's advertising network and added traps on the homepage and various auxiliary sites via Adobe Flash vulnerabilities on Windows CPUs. That infected the visitor's computing machine by downloading malware from the tech giant's homepage or ad sites.
Besides Yahoo's website, traps that included millions of bits of code were also planted on its Finance, Celebrity, Sports, and Games sites. Sometimes visitors were lured to other harmful advertising sites.
Researchers at the security company Malwarebytes reported that the malicious ads first appeared at the site on July 28, Tuesday, infecting millions of Yahoo users during the following week. However, only the California-based company knows the exact figures.
Yahoo noted in a statement that it had shut down the guilty advertisers after the security firm informed it of the issue. However, it argued that it had overstated the threat's scale.
Malwarebytes' senior researcher Jérôme Segura wrote in his company's blog post about the Yahoo hack. He shared that the cyber-criminals responsible for the scam have also conducted a string of other large-scale attacks.
The hacks exploit ad networks. Websites use the platforms to share daily page views with possible advertisers. Hackers imbed malware in outdated Adobe Flash versions located on fake online ads.
The situation spotlights the security vulnerabilities of Adobe Flash, which has made headline news time and time again due to security problems. Segura called it a "godsend" to cyber-attackers, according to The New York Times.
Cyber-criminals then guide web traffic to the ad sites. Such sites either pay them a rate for page views, or use ransomware to hold programs "hostage" until the user pays the demand for money.
Such attacks do not require visitors to actually click on the ads. Users just have to visit the fraudulent website.
Following the recent online attack, Adobe urged its users to update their Flash Player.
Fake ads cost the industry about $11 billion yearly on money wasted, according to Mashable. Yahoo, the fifth most visited website on the Internet, is quite vulnerable to malware attacks due to its roughly 6.9 billion monthly visitors and heavy traffic to secondary sites.
