On July 28, popular website Yahoo! became the one of the latest websites targeted by malicious ads that redirect to the Angler Exploit Kit, which attempts to take advantages of security holes in Adobe Flash. Yahoo! has an estimated 6.9 billion visitors per month.
From The New York Times:
The attack, which started on July 28, was the latest in a string that have exploited Internet advertising networks, which are designed to reach millions of people online. It also highlighted growing anxiety over a much-used graphics program called Adobe Flash, which has a history of security issues that have irked developers at Silicon Valley companies.
Malwarebytes and Business Insider provide more information about this specific incident.
Yahoo! became aware of the attack on August 3 and has released a statement indicating their team has "taken action" (shortened):
"Yahoo is committed to ensuring that both our advertisers and users have a safe and reliable experience. As soon as we learned of this issue, our team took action and will continue to investigate this issue.... We'll continue to ensure the quality and safety of our ads through our automated testing and through the SafeFrame working group...."
(Score: 3, Informative) by takyon on Wednesday August 05 2015, @03:45AM
Jan 10, 2014: Yahoo's malware-pushing ads linked to larger malware scheme [pcworld.com]
Oct 22, 2014: 'Malvertising' Crooks Earn $25,000 A Day Attacking Yahoo And AOL Users [forbes.com]
Oct 23, 2014: Researchers at Proofpoint have uncovered a malvertising campaign that hit a number of high-profile sites, including Yahoo, Match.com and AOL domains. [securityweek.com]
...
I chuckle at "people" who try to claim that blocking ads/scripts is unethical. As if slowing your browsing wasn't bad enough, they are a common risk vector.
But don't take it from me... what does Yahoo! have to say about it?
...
What Is Malvertising? The Next Digital Threat [yahoo.com]
[SIG] 10/28/2017: Soylent Upgrade v14 [soylentnews.org]
(Score: 4, Insightful) by looorg on Wednesday August 05 2015, @03:49AM
I had to stop reading for a moment after the first sentence. Yahoo! has 6.9 billion visitors per month! That is shocking and surprising news indeed. Is that 6 billion people that can't change their startpage?
(Score: 0) by Anonymous Coward on Wednesday August 05 2015, @04:57AM
Or ~230 million go there once a day, or 23 million 10 times a day, or 2.3 million 100 times each day.
(Score: 3, Insightful) by acharax on Wednesday August 05 2015, @04:46AM
What those ad networks serve normally tends to be just as malicious, the malware just happens to be more honest about its purpose.
(Score: 2) by Snotnose on Wednesday August 05 2015, @11:34AM
I hit em up daily for the comics: https://news.yahoo.com/comics/ [yahoo.com]
I just wish they would allow me to customize which comics I see.
When the dust settled America realized it was saved by a porn star.
(Score: 2) by hendrikboom on Wednesday August 05 2015, @02:19PM
Try comic rocket: https://www.comic-rocket.com/ [comic-rocket.com]
It specialises in webcomics, but a lot of the regular newspaper comics *are* now webcomics, too. It's a tool that directs you to the web pages of the various comics.
I use the comicrocket app on my android tablet. It's a specialised browser that directs me to those same web pages, and makes it easy to step through their archives.
-- hendrik
(Score: 5, Interesting) by hankwang on Wednesday August 05 2015, @05:15AM
Can someone explain how tbis works? I have always assumed that an advertiser provides the graphics and target URL if the ad is clicked, and that the ad network wraps it in a javascript/Flash template.
Do the ad network allow the advertiser to provide their own Flash scripts? If that is the case, then I'm baffled. Or were the ad servers compromised in some other way?
Avantslash: SoylentNews for mobile [avantslash.org]
(Score: 4, Interesting) by mendax on Wednesday August 05 2015, @05:38AM
A few days ago I sent a message to the folks at NPR (that's National Public Radio for you non-American folks) complaining that in order for me to stream their audio content I have to have the Flash player installed and enabled in my browser. I have the more recent version of Flash installed on my Macs and Linux (yes, I know the Linux one is no longer supported) but I've disabled it in the browser because some web sites, including the New York Times and the Dice-owned and devastated one which we do not mention here, run video ads that just play after an auto-refresh of the page, driving me crazy. I told them it's crazy to require Flash because modern web browsers of the last several years don't require plug-ins to play audio or video. (Even the ancient version of Safari on my Snow Leopard-based MacBook has HTML5 support for MP3 and video streams.) Here's what they said to me:
And it's been hacked to death and is a security nightmare. Helloooooooo! Flash is obsolete for good reason! Google supports HTML5 features with YouTube, and even makes it easy to determine if your browser is compliant through its https://youtube.com/html5 [youtube.com] page.
It's really quite a simple choice: Life, Death, or Los Angeles.
(Score: 2) by c0lo on Wednesday August 05 2015, @07:03AM
Yes, but it is not YouTube that makes Flash popular.
If you wonder what it is, I'll direct your attention to video format wars [wikipedia.org].
https://www.youtube.com/watch?v=aoFiw2jMy-0 https://soylentnews.org/~MichaelDavidCrawford
(Score: 1) by massa on Wednesday August 05 2015, @12:31PM
I always enable click-to-flash on Chrome. That way, I only run what I really want...
(Score: 2) by Runaway1956 on Wednesday August 05 2015, @01:45PM
Obvious is obvious, isn't it? I suppose we'll have another story soon, telling us how remarkable it is that the sun was observed to rise in the east.
(Score: 3, Insightful) by halcyon1234 on Wednesday August 05 2015, @01:55PM
This is why I never have, and never will, whitelist any site in AdBlock. It isn't the site owner I don't trust. It's the third party ad networks.
Time and time again, they let through malicious content. This ranges from the "allowed" malicious content (ads for diet pills, financial scams, snakeoil products, etc), all the way up to malware and exploits. Allowing these third party ad networks to have any sort of access to your computer is harmful, bordering on negligent.
And of course nothing is really done about the constant barrage of this content. It's all hidden behind layer upon layer of obfuscation and "someone else's problem". Seriously, who are you going to complain to about malicious content? The site owner? They have no control over it. They just drop in the js code, and get ads delivered. The ad network? Nope, they're just a delivery aggregate. They pull in "relevant" content from a number of different ad networks. How about those networks? Well, it's not like anyone will actually tell you which sub-network delivered it, but again if you managed to track it down-- hey, they just play what the ad agencies upload. Okay, so track down the agency-- nope, they just subcontract out to a bunch of firms, they don't know which firm is responsible for which ads at that time. And of course each of those firms deals with multiple clients, who are just the marketing departments for a sub-contractor for the actual company. And those companies may just be shells for some guy selling pills form his basement. There is zero responsibility across the entire chain, except getting paid.
And speaking of getting paid, of course someone will pipe up with 'ad blocking hurts creators'. I have no problem supporting creators. I might even whitelist one that runs first party ads they approve themselves. I certainly crowdfund enough. Which is why I ask those creators-- why are you defending our common enemy, the ad networks? They've fucking you over just as much as they're fucking over the eyeballs that view your site. Payout from ad networks has plummeted in recent years-- due to oversaturation, and frankly, because they can. You can have an immensely popular site, running immensely popular videos-- and still barely make coffee money. And you're completely beholden to the ad network. You have to follow their rules, their code of conduct, and effectively sell out your userbase to them for chump change. Why are you defending them, content creators? If you have that large of an audience, you don't need them. Start a Patreon or other crowd fund, and make a living wage.
No one benefits from ads-- except for the ad networks, and those who abuse them.
Original Submission [thedailywtf.com]