Malvertising Attack on Yahoo Is Another Reminder to Disable Flash

Illustration for article titled Malvertising Attack on Yahoo Is Another Reminder to Disable Flash

In case you weren’t already aware that Flash is useless trash that you should disable immediately, consider the sad tale of last week’s malvertising attack on Yahoo.

Advertisement

Hackers bought ads on Yahoo’s sprawling ad network, but the ads used malicious code to hijack the computers of people with old versions of Flash on Windows.

Yahoo shut down the attack yesterday, but starting July 28, hackers orchestrated a large-scale scheme to take advantage of Flash’s horrible security, which regularly leaves gaping vulnerabilities unfixed. The same kind of attack happened to Google’s ad network earlier this year.

The New York Times described how hackers made money off the sketchy campaign (and how the poor Flash-using schmucks lost it):

From there, the malware hunted for an out-of-date version of Adobe Flash, which it could use to commandeer the computer — either holding it for ransom until the hackers were paid off or discreetly directing its browser to websites that paid the hackers for traffic.

Security company Malwarebytes discovered the attack, and its researcher Jérôme Segura noted that Yahoo.com receives 6.9 billion visitors a month, meaning the hackers had access to a lot of potential Flash patsies. Yahoo hasn’t confirmed the size of the attack, but whatever the final numbers are, let this be a reminder to disable Flash.

Update: Yahoo sent me a comment. Doesn’t make note of the estimated number of people who got duped by this scheme or really say anything, but here it is for posterity:

Yahoo is committed to ensuring that both our advertisers and users have a safe and reliable experience. As soon as we learned of this issue, our team took action to block this advertiser from our network.

We take all potential security threats seriously. With that said, the scale of the attack was grossly misrepresented in initial media reports and we continue to investigate the issue.

Unfortunately, disruptive ad behavior affects the entire tech industry. Yahoo has a long history of engagement on this issue and is committed to working with our peers to create a secure advertising experience. We’ll continue to ensure the quality and safety of our ads through our automated testing and through the SafeFrame working group, which seeks to protect consumers and publishers from the potential security risks inherent in the online ad ecosystem.

Advertisement

[New York Times via Malwarebytes]

Advertisement

DISCUSSION

wonderzimms
WonderZimms

Echoing the comments below.

It’s very easy to write a column and say, “Don’t use Flash!” Gizmodo does this a lot, as does TechCrunch, Wired, Verge...

The problem is, there’s no replacement for flash (HTML5...just, no). Several sites I use require Flash, including one I pay to access. While I am cognizant of the harm leaving Flash enabled can do, there’s really no other option.

I say this in a mostly joking way: forget SOPA, forget CISA. We need legislation banning the use of Flash. :)