In case it wasn’t clear yet, Adobe’s Flash isn’t exactly the safest tool for delivering Internet content. Hackers are already more than aware of the software’s security issues and are happy to exploit them for various malicious purposes. That’s exactly what happened in late July when hackers used Flash to infect Yahoo websites with malware in what has been described as one of the largest malvertising attacks seen in the recent months.
The attack was first discovered by a security researcher at Malwarebytes, The New York Times reports. Hackers deployed the malware on July 28th, targeting Yahoo’s advertising network for a week before the company put a stop to it.
The hackers bought ads on Yahoo’s sports, news and finance sites. Once a Windows computer visited one of Yahoo’s sites, it automatically downloaded malware code. The malware then hunted down out-of-date versions of Flash and used the old software to take control of computers that hadn’t updated to the most recent Flash release.
The malware would either hold the computer for ransom until the hackers were paid, or discretely direct browsing on a machine towards sites that paid the hackers for the extra traffic.
“Right now, the bad guys are really enjoying this,” Malwarebytes security Jérôme Segura, who discovered the attack, said. “Flash for them was a godsend.”
Yahoo’s website has estimated traffic of 6.9 billion visits per month, the researcher said, and Yahoo’s other properties generate additional hundreds of millions of visits each month.
“In terms of how many people were served a malicious ad, only Yahoo would really know,” Segura said. “This is one of the largest attacks we’ve seen in recent months.”
Yahoo has no idea how many people were affected, the Times says. But Yahoo says the attack was not as big in scope as reported.
“We take all potential security threats seriously,” a Yahoo told the Times in a statement. “With that said, the scale of the attack was grossly misrepresented in initial media reports, and we continue to investigate the issue.”