How bad was Yahoo’s ‘malvertising’ attack?

Yahoo users who spent time last week on the Sunnyvale company’s main Web portal or its news, gaming or finance sites probably didn’t notice the small rectangular advertisement for a cloud-based browser that appeared on the side of the page.

And they didn’t have to click on it, either, to be infected with its malware.

After blocking the problem advertiser, Yahoo said this week that the “scale of the attack was grossly misrepresented.” But the San Jose-based security firm that detected it, Malwarebytes Labs, is not so sure.

“Yahoo has a lot of traffic,” said Jérôme Segura, a senior security researcher at Malwarebytes. “We’re talking about a large amount of people exposed to this.”

The attack began when AdJuggler, a trusted advertiser and partner of Yahoo for ad distribution, “got abused by rogue advertisers that uploaded a malicious ad that got displayed on the main site,” Segura said.

“When people were browsing the site, the ad automatically — without any type of user interaction — would silently load malicious code into the background and attempt to infect the computer with a piece of malware,” he said.

The so-called “malvertising” affected computer users with older versions of Adobe’s oft-targeted Flash player on Windows.

Yahoo made a statement Monday saying that “as soon as we learned of this issue, our team took action to block this advertiser from our network. We take all potential security threats seriously. With that said, the scale of the attack was grossly misrepresented in initial media reports and we continue to investigate the issue.”

Yahoo added: “Unfortunately, disruptive ad behavior affects the entire tech industry. Yahoo has a long history of engagement on this issue and is committed to working with our peers to create a secure advertising experience. We’ll continue to ensure the quality and safety of our ads through our automated testing and through the SafeFrame working group, which seeks to protect consumers and publishers from the potential security risks inherent in the online ad ecosystem.”

Segura said he doesn’t disagree that malicious advertising is an industry-wide problem.

“We’ve seen luxury brands, perfumes, car makers, where malicious code was added. It has nothing to do with the brand itself,” he said. “Malvertising is a very effective technique, it’s a cost-effective technique. You basically have the same tools legitimate advertisers do. You can configure to be shown only to a specific area or types of computers, age brackets, sometimes even revenue brackets.”

But that’s of little consolation, he said, to the people affected by the attack. And while only Yahoo has the internal data to show how many impressions the malicious ads received, Malwarebytes said it detected a surge of malvertising traffic that lasted nearly a week.

Above: A screenshot Tuesday of Yahoo’s main website, which was affected by malicious advertisements last week.


Tags: , , , , ,


Share this Post

  • commenter

    and this is why i block your ads.

  • Scott Davis

    Adblock+ FTW! That and NoScript.

  • Mac

    And this is the best and most specific that they can tell us, the users of this site?
    Are we as “visitors” to and of this site susceptible? In half the article, I gather that to be true, and then I read on and gather it not to be true….and yet, I have been noticing weird things going on with my computer or their site and I don’t know which it is that is causing “my” problems.
    What should I actually look for?
    My keyboard doesn’t work properly, half of the time, when writing in their comment sections, (though in this one it seems to be -OK) is that them, or me [mine]?
    I have been sent all over “Helen Back”, and everywhere but, when I click on my “notifications” button. I thought that was just normal for them???….or is it me [mine]?
    CHIT, I guess I need to go do a Clean-up and out…see ya in a couple hours ‘eh ?????? ??????????????????????????????????????????????????????????????????

  • Linus Walters

    classic yahoo downplaying it…its like those other times when their security was breached and passwords were stolen and they didnt bother to warn people

  • Ralph Spooner

    That is why I use Mozilla Firefox and AdBloc + add on. Nothing gets through it that i have seen yet. Scott Davis hit the nail on the head. I also have strict pop up blocker active as well.

  • Pooky

    Focusing too much on Kadashien stories?

  • altizar

    I didn’t notice it because I use ta-da “ADBLOCKER” !!

  • Name

    A Yahoo! ad? What’s that? It all seems so foreign to me. Oh that’s right I have Adblock (Plus and Pro because f*ck ads…and in-video commercials)

  • Adblock + no Flash installed = No problems.

  • sd

    Reason #19 to dump Flash’s sorry a– . Didn’t even bother installing Flash on the new MacBook. I’m finding I really don’t miss much content.

  • rocketride

    Where is the ad on that page? (The screen grab at the top of the article.) I’m just not seeing it.

    • The problem advertisement is not shown in that screenshot.

      • rocketride

        Well, that’s kind of pointless. Welcome to clickbait city.

        • An image of the bad ad wasn’t shared with us, and I haven’t seen it. I described its basic contours and location in the first sentence. We run a photo with every post, and this was the Yahoo homepage on the day of the post — I chose the homepage because that’s where a lot of people were encountering the ad when it was still there. Not sure how that constitutes clickbait. 😉

          • rocketride

            I should point out that I’m NOT calling your article actual “clickbait”. My intention was to point out a certain similarity between your posting a random Yahoo homepage (not containing the malvertising), with tactics that some clickbait perpetrators use. Namely, using a thumbnail come-on photo of something (which looks like there might be something interesting going on but you can’t really tell because it’s a thumbnail so you start clicking away in the hopes of seeing a bigger version with enough detail to confirm or deny your suspicions) which shows up precisely nowhere in the actual ‘article’. Meanwhile, you’ve clicked through one captionless frame and four with parts of the caption for each of the thirty or so photos. . .

            No, I don’t click on that sort of thing, ever, anymore. (I have been known to ‘grab’ the thumbnail and run it through a Google™ image search, though.)

            BTW, how much do those a-holes get paid per click? Are we in the wrong business?

  • Bob Johnson

    Hum. No problem here on my Linux system.

  • Rich

    Isn’t the issue related to the Firefox upgrade link in the upper right corner? Adblocker would not protect a downloaded image such as shown above? The article mentions the issue was with a web browser ad.

    The article stated this:

    Yahoo users who spent time last week on the Sunnyvale company’s main Web portal or its news, gaming or finance sites probably didn’t notice the small rectangular advertisement for a cloud-based browser that appeared on the side of the page.