If you were visiting Yahoo’s website this week, or any of its websites relating to finance, games, sports or celebrities, you may have been exposed to cybercrooks trying to steal your money. It took Yahoo almost a week to notice anything was wrong.
Unfortunately, this isn’t the first time online thieves have used the Yahoo website as cover for their criminal endeavors. Using a tactic called “malvertising” (MALicious adVERTISING), crooks place dangerous ads on the Yahoo website, ads designed to get visitors in trouble. Many times, it is not even necessary to click an ad to get in trouble; merely visiting a page that contains the ad can get the job done.
Shockingly enough, most websites that allow third-party advertising don’t even know what ads are on their own websites. They subscribe to ad services who supply ads to fill “revenue-generating” spaces on their sites, but often don’t check to see what the ad services are actually providing. Internet crooks have learned how this lackadaisical system works; they take out ads on websites like Yahoo, Yahoo doesn’t check to see if the ads are safe, and you are left holding the bag.
This isn’t Yahoo’s first time around the malvertising block. Thousands of Yahoo users were also victimized by malvertising in August of 2014; thousands more were attacked in January of the same year. In 2013, phony Yahoo ads were guilty of leading searchers to viruses masquerading as Google’s Chrome browser. In 2010, research by antivirus company Avast tagged Yahoo as the number one deliverer of dangerous ads.
To be fair, other companies like Google, The Huffington Post, the New York Times, AOL, CNN, and even the London Stock Exchange have been guilty of serving up malicious ads, but for some reason, Yahoo seems determined to lead the pack. I can only think of one reason why Yahoo allows this sorry state of affairs to continue: they just don’t care.
With annual revenues in excess of $4 billion, Yahoo could spend $40 million dollars a year, less than 1% of annual revenue, to hire a large team of unskilled computer users to do one thing, every day: visit Yahoo web pages and, if needed, click on ads. Call them “Website Proof-readers,” if you will. Yahoo could very quickly, easily and inexpensively provide an unprecedented layer of security and protection to their customers, and retire the shameful mantle of “Leading Malvertising Provider” they currently wear. Will they? What do you think?
Meanwhile, normal computer users are left wondering if they should ever trust Yahoo again, and, is there anything they can do to protect themselves. The answers are no, and yes.
Update, update, update. You’ve heard it all before, now be sure to update, some more. Most attacks delivered by websites succeed because victims fail to update their computer systems, and Yahoo’s latest infections are no different. This week’s Yahoo attack pages look for visitors who have failed to update Adobe Flash Player. Flash Player is used to view animations and videos hosted by millions of websites, and requires frequent updating. The bad guys discover programming errors in products like Flash Player that allow them to invade and infect innocent computer users’ systems. Updates fix those errors and protect computers. It’s that simple.
Past malvertising attacks have exploited problems found in Java, Adobe Reader PDF files, Microsoft Word documents, Excel files, Windows, and the list goes on. Keeping these programs updated and patched is the best way to stay protected. You can be sure that Yahoo will not update them for you.