View all newsletters
Receive our newsletter - data, insights and analysis delivered to you

Huge malvertising attack on Yahoo prompts alarm

Affected site clocking visits of 7 billion a month.

By Jimmy Nicholls

A huge malvertising attack on the advertising network run by Yahoo has alarmed security researchers due to the company’s website handling some 7 billion visits per month.

Hackers were said to have leveraged the Microsoft Azure website to deliver malware into the network from July 28 onwards, with ransomware such as CryptoWall thought to be one of the viruses the attackers may have been planning to spread.

Jerome Segura, senior security researcher at Malwarebytes, which uncovered the campaign, said: "Malvertising is a silent killer because malicious ads do not require any type of user interaction in order to execute their payload.

"The mere fact of browsing to a website that has adverts (and most sites, if not all, do) is enough to start the infection chain."

Malvertising works through infection of an advertising supply chain, putting infectious adverts into a legitimate network that lead to "drive-by downloads" that take place on clicking the advert or simply by browsing the site.

Infecting such networks can lead to many sites becoming harmful due the use of multiple advertising networks by many media groups, which leads to some security experts recommending users install script blockers, or even disable Flash and similar plugins entirely.

Following Malwarebytes report Yahoo confirmed that it would continue to investigate the problem, saying: "Unfortunately, disruptive ad behavior affects the entire tech industry.

Content from our partners
How to turn the evidence hackers leave behind against them
Why food manufacturers must pursue greater visibility and agility
How to define an empowered chief data officer

"Yahoo has a long history of engagement on this issue and is committed to working with our peers to create a secure advertising experience."

Commenting on whether Yahoo could have prevented such attacks, Mark James, security specialist at ESET, confirmed they could have, but said it would be impractical and difficult to do.

"All companies strive for the most cost effective means to deliver content to the users that want it, they must look at costs both incoming and outgoing, from a cost point of view why invent the wheel when it comes to advertising," he added.

Websites in our network
Select and enter your corporate email address Tech Monitor's research, insight and analysis examines the frontiers of digital transformation to help tech leaders navigate the future. Our Changelog newsletter delivers our best work to your inbox every week.
  • CIO
  • CTO
  • CISO
  • CSO
  • CFO
  • CDO
  • CEO
  • Architect Founder
  • MD
  • Director
  • Manager
  • Other
Visit our privacy policy for more information about our services, how New Statesman Media Group may use, process and share your personal data, including information on your rights in respect of your personal data and how you can unsubscribe from future marketing communications. Our services are intended for corporate subscribers and you warrant that the email address submitted is your corporate email address.