Yahoo users who spent time last week on the Sunnyvale company’s main Web portal or its news, gaming or finance sites probably didn’t notice the small rectangular advertisement for a cloud-based browser that appeared on the side of the page.
And they didn’t have to click on it, either, to be infected with its malware.
After blocking the problem advertiser, Yahoo said this week that the “scale of the attack was grossly misrepresented.” But the San Jose-based security firm that detected it, Malwarebytes Labs, is not so sure.
“Yahoo has a lot of traffic,” said Jérôme Segura, a senior security researcher at Malwarebytes. “We’re talking about a large amount of people exposed to this.”
The attack began when AdJuggler, a trusted advertiser and partner of Yahoo for ad distribution, “got abused by rogue advertisers that uploaded a malicious ad that got displayed on the main site,” Segura said.
“When people were browsing the site, the ad automatically — without any type of user interaction — would silently load malicious code into the background and attempt to infect the computer with a piece of malware,” he said.
The so-called “malvertising” affected computer users with older versions of Adobe’s oft-targeted Flash player on Windows.
Yahoo made a statement Monday saying that “as soon as we learned of this issue, our team took action to block this advertiser from our network. We take all potential security threats seriously. With that said, the scale of the attack was grossly misrepresented in initial media reports and we continue to investigate the issue.”
Yahoo added: “Unfortunately, disruptive ad behavior affects the entire tech industry. Yahoo has a long history of engagement on this issue and is committed to working with our peers to create a secure advertising experience. We’ll continue to ensure the quality and safety of our ads through our automated testing and through the SafeFrame working group, which seeks to protect consumers and publishers from the potential security risks inherent in the online ad ecosystem.”
Segura said he doesn’t disagree that malicious advertising is an industry-wide problem.
“We’ve seen luxury brands, perfumes, car makers, where malicious code was added. It has nothing to do with the brand itself,” he said. “Malvertising is a very effective technique, it’s a cost-effective technique. You basically have the same tools legitimate advertisers do. You can configure to be shown only to a specific area or types of computers, age brackets, sometimes even revenue brackets.”
But that’s of little consolation, he said, to the people affected by the attack. And while only Yahoo has the internal data to show how many impressions the malicious ads received, Malwarebytes said it detected a surge of malvertising traffic that lasted nearly a week.
Above: A screenshot Tuesday of Yahoo’s main website, which was affected by malicious advertisements last week.
