Feeds

back to article Malware! tainted! ads! infect! thousands! of! Yahoo! users!

Thousands of Yahoo! users have been exposed to malware through malicious advertisements over the past few days, according to research by Dutch security firm Fox-IT. Malware-tainted ads served from ads.yahoo.com were shown to victims in Romania, Great Britain and France, infecting tens of thousands every hour. The first infection …

COMMENTS

This topic is closed for new posts.

This is one reason why I've been blocking ads, since forever. Probably quite hard to achieve this attack vector, but once you have it, your audience (read victims) is massive.

12
1

makes me glad I run an older version of java so the browser refuses to allow it to run without me saying it's ok.

have to run an older version for a couple of legacy apps I work with otherwise it wouldn't be installed at all

0
0
Anonymous Coward

Who are Yahoo? Never heard of them.

1
3
Bronze badge

Aren't they something to do with AltaVista?

2
0
Silver badge

The real story here

Is that no one has been arrested for this yet.

6
0
jai
Silver badge

Re: The real story here

That was my first thought. Surely to place an ad you have to deal with someone. Even if it's an agency that is bulk managing adverts with Yahoo, surely they can trace it back to source? Someone had to have paid to get these ads on the network surely?

8
0
Silver badge

Re: The real story here

That would be true if the ads were coming from a legitimate source.

However, since the malware is being used by criminals, it's fairly safe to assume they didn't use their real ID when they bought the advertising space (and I'm willing to bet most agencies don't vet their customers - given even Banks have failed to fully "know your customer", what chance have lowly ad agencies got) .

Or alternatively they could have compromised the upload of legitimate Ads.

3
0
Silver badge

Re: The real story here

Money changed hands somewhere. I'm sure that they'll be able to dig out a receipt when the police come along to give them the 6 o'clock knock.

4
0
Bronze badge

Re: The real story here

Either that or they guessed someones password for the ad network and knew over the holidays the companies wouldn't check as much.

0
0

Re: The real story here

"Money changed hands somewhere. I'm sure that they'll be able to dig out a receipt "

well no, there are dozens of ways to avoid that, as others have pointed out.

there would be no spam on the net if things were so easily traceable

0
0
Anonymous Coward

Re: The real story here

> That would be true if the ads were coming from a legitimate source

But they are coming from a legitimate source - according to the article they were served from ads.yahoo.com.

Now if Yahoo are so f*cking stupid as to serve their sponsors' ads without first checking them then they fully deserve to be fined off the face of the planet and the CEO locked-up.

So to repeat the previous comment: the real story is why no arrests (and I mean Yahoo execs, not just those behind the scam)?

1
0
FAIL

YAWN

Yet Another Windows Nightmare.

4
7
Bronze badge

Re: YAWN

YAJN actually.

1
0
Silver badge
Facepalm

Re: YAWN

YAY!N

0
0
Silver badge

"technology rarely needed to surf most websites"

Rarely needed that may be, but it's implemented almost everywhere and a fucking nuisance most of the time.

It's come to a point where Java/Javascript is used over HTML in some websites. I guess that some website owners think that killing URL references and destroying easy bookmarking is an acceptable price to pay to prevent . . what? Page scraping ?

I use Firefox with AdBlocker and NoScript. Never been to Yahoo! except when forcefully redirected there.

Now I have another reason not to go there.

3
0
Silver badge
Unhappy

I'm getting a bit tired....

...of calling my customers every time their Yahoo email is hacked. Keep telling them to move.

Yahoo basically has zero security. Makes one wonder if there should be regulatory penalties for such things.

5
0
Bronze badge
Alert

security software

Does AdBlockPlus count as security software now?

5
0

Is there a JavaBlock addon, ala FlashBlock?

While Jess-- above has a neat trick of running an out of date copy of Java, that means a trade off where you still have old bugs and security problems -- albeit only on sites where you're explicitly allowing. Has anyone created a browser extension like Flashblock, where the functionality is nicely integrated with whitelisting capability? Chrome is all I need at home...

0
0

Re: Is there a JavaBlock addon, ala FlashBlock?

Have you tried to use Google Chrome's "Click To Play" plugin setting? Works well for me.

Settings - Advanced Settings - (Privacy) Content Settings - Plugins... select "Click To Play".

Works well for me, quick and easy to add websites to permanent whitelists, session whitelists or allow individual plugins on a page with a click..

0
0

Re: Is there a JavaBlock addon, ala FlashBlock?

Thanks, that was buried deeply enough that I'd not found it.

0
0

Re: Is there a JavaBlock addon, ala FlashBlock?

I know I'll be downvoted, but I can't help myself.

There is no such word as "ala". If there were, it would be written "a la" (with a grave accent over the first letter), but that's not English. What's wrong with "like"?

</pedant>

-A.

4
0

Re: Is there a JavaBlock addon, ala FlashBlock?

Now that ala has been used on the internet it will be added to English soon.

1
0

I'm pretty sure I was affected and I'm in Canada. I run web of trust and noscript but Yahoo was a trusted site, and since the awful change it made to its interface recently, nothing seems to run without java script and java enabled.

2
0

I use Yahoo mail and I'm in the UK, but I don't think I was affected (I don't often log into yahoo mail on the web - I use pop3 download to my gmail account). I run noscript, but I did have all of yahoo.com and yimg.com allowed in noscript - I've just updated that to be only mail.yahoo.com, ucs.query.yahoo.com and https://s.yimg.com, and mail still seems to be functional.

0
0
Thumb Down

Yahoo? Trusted Site??????

I need to log on to Yahoo very occasionally in connection with Freecycle. A horrible website.

Last I knew, Yahoo ran the email system for BT. Another reason not to have broadband with them.

1
0

Java != JavaScript

Confusing I know but uninstall (or at least disable) the Oracle Java Runtime unless you absolutely know you need it to do what you do. JavaScript on the other hand is useful and current and lot of sites rely on it.

1
0

Re: Java != JavaScript

I'm probably being hopelessly optimistic, but I'm keeping javascript off and encouraging others to do so. If enough of us stop using it, the webmasters will be forced to rethink.

On a whim I just had a glance at the anaytics for my workplace site for the last 30 days - 45% of visitors Google reckons no Javascript (not sure I believe it's actually that high). The visitors without Javascript have a bounce rate 10% higher than those that do, which I don't find surprising (in fact I'd have thought it would be worse).

0
0

How I avoid this.

I use both an adblocking addin and a script management addin in my broweser plus I have a hosts file on my internet machines that block known malware sites plus most of the advert and tracking sites. Once I move to fibre and can ditch the current ADSL modem I will put in a low end box running somthing like Smoothwall which will regularly update it's hosts file from known truested sites, adding further protection.

0
0
This topic is closed for new posts.