Security firm Malwarebytes has revealed that Yahoo has played the unwitting host to a week’s worth of malware-laden scams in what may be the largest attack of its kind in months.
The researchers said the attackers infiltrated the web portal’s advertising network and planted traps on its homepage — along with its sports, finance, celebrity and games sites.
In case visitors came by the sites, the ads discreetly downloaded malware files to the visitor’s computer, either directly from the webpage or from a harmful site to which the ads diverted visitors.
The parasitic ads first appeared on the site last Tuesday and may have affected millions of Yahoo users in the ensuing week, though only Yahoo can gauge the exact count.
Yahoo has released a statement saying that it had successfully shut down the offending advertisers after the firm alerted it to the problem but charged the firm with exaggerating the extent of the threat.
“We take all potential security threats seriously,” a Yahoo spokesperson said in an emailed statement (see below for the full text). “With that said, the scale of the attack was grossly misrepresented in initial media reports and we continue to investigate the issue.”
The scam appeared to be the work of the same cybercriminal group that has orchestrated a number of similar large-scale attacks, according to Malwarebytes’ senior researcher Jérôme Segura, who authored the company’s blog post on the attack.
One does need not even click on the ad in question to fall pray; Rather, most spring to life upon the visitor’s arrival, Segura said.
Yahoo gets an estimated 6.9 billion visitors to its homepage each month, Yahoo is the fifth most popular destination on the web, according to its Alexa Ranking.
To protect yourself, make it more difficult for malware to compromise machines with these sort of attacks.
Steps include making sure that you have a malware-resistant firewall in place and that your Flash plug-in is the most recent version available.