Hackers hijacked Yahoo ads for a full week

Visitors to Yahoo’s most popular websites over the last week may have been exposed to a widespread cyberattack launched through the company’s ad network.

The incident is the latest example of the increasingly popular “malvertising” attack, in which hackers spread malware through online advertising networks that reach millions of people. Yahoo’s homepage, for example, receives nearly 7 billion monthly visits. Several other Yahoo news sites get more than 100 million monthly visits.

{mosads}If website visitors click on an infected ad while on these pages, their computer becomes compromised, exposed to all types of cyber crime.

“This [is] one of the largest malvertising attacks we have seen recently,” said Jérôme Segura, a senior security researcher at Malwarebytes, the security firm that discovered the attack, in a blog post.

As of Monday, Yahoo said it has shut down the ongoing cyber assault, but would not say how many people had been affected.

“As soon as we learned of this issue, our team took action to block this advertiser from our network,” a spokesperson said in a statement.

According to Segura, the hackers exploited a bug in the much-maligned Adobe Flash software, which is used to stream audio and video online.

Flash has a recent history of security failures that has the tech community calling for its retirement.

It was revealed that Hacking Team, the controversial security firm that sold spying tools to the U.S. government and various repressive regimes, used Flash defects for snooping.

In the wake of that discovery in July, Mozilla and Google blocked the Flash plug-in in their Firefox and Chrome browsers. Facebook’s head of security even called on Flash to be phased out entirely.

Yahoo downplayed the incident’s scope.

“We take all potential security threats seriously,” the spokesperson said. “With that said, the scale of the attack was grossly misrepresented in initial media reports and we continue to investigate the issue.”

Yahoo is not the only major tech player to fall victim to a massive malvertising attack. In April, security researchers caught digital scammers using Google’s popular advertising service, DoubleClick, to launch cyberattacks on visitors to mainstream websites like The Huffington Post.

In response, Google moved to encrypt all ads placed through DoubleClick.

Congress has also turned its attention to malvertising in recent years.

Sen. John McCain (R-Ariz.) and then-Sen. Carl Levin (D-Mich.) last year spearheaded an investigation into the nefarious strategy.

The duo released a lengthy report in May 2014 that called out online advertisers for not aggressively tackling the issue.

“We must understand the security and privacy hazards consumers face in online advertising and make sure standards and rules exist to ensure consumers do not have to be more tech savvy than cyber criminals to stay safe online,” McCain said.