In case you weren’t already aware that Flash is useless trash that you should disable immediately, consider the sad tale of last week’s malvertising attack on Yahoo.
Hackers bought ads on Yahoo’s sprawling ad network, but the ads used malicious code to hijack the computers of people with old versions of Flash on Windows.
Yahoo shut down the attack yesterday, but starting July 28, hackers orchestrated a large-scale scheme to take advantage of Flash’s horrible security, which regularly leaves gaping vulnerabilities unfixed. The same kind of attack happened to Google’s ad network earlier this year.
The New York Times described how hackers made money off the sketchy campaign (and how the poor Flash-using schmucks lost it):
From there, the malware hunted for an out-of-date version of Adobe Flash, which it could use to commandeer the computer — either holding it for ransom until the hackers were paid off or discreetly directing its browser to websites that paid the hackers for traffic.
Security company Malwarebytes discovered the attack, and its researcher Jérôme Segura noted that Yahoo.com receives 6.9 billion visitors a month, meaning the hackers had access to a lot of potential Flash patsies. Yahoo hasn’t confirmed the size of the attack, but whatever the final numbers are, let this be a reminder to disable Flash.
Update: Yahoo sent me a comment. Doesn’t make note of the estimated number of people who got duped by this scheme or really say anything, but here it is for posterity:
Yahoo is committed to ensuring that both our advertisers and users have a safe and reliable experience. As soon as we learned of this issue, our team took action to block this advertiser from our network.
We take all potential security threats seriously. With that said, the scale of the attack was grossly misrepresented in initial media reports and we continue to investigate the issue.
Unfortunately, disruptive ad behavior affects the entire tech industry. Yahoo has a long history of engagement on this issue and is committed to working with our peers to create a secure advertising experience. We’ll continue to ensure the quality and safety of our ads through our automated testing and through the SafeFrame working group, which seeks to protect consumers and publishers from the potential security risks inherent in the online ad ecosystem.
[New York Times via Malwarebytes]