Yahoo hit by malicious software attack

It’s been a rough couple of months for Yahoo. A scourge of technical difficulties caused a multi-day outage of the site’s email service just last month, an email service that itself adopted a controversial redesign back in October. Now, according to a report from the Washington Post, an even more serious issue has struck Yahoo and its users: a large-scale malware attack.

Supposedly, the malware attack was the work of hackers who effectively took control of Yahoo’s advertising network and used it to spread malicious software to the computers of hundreds of thousands of Yahoo users throughout the first few days of the year. The security hole was reported originally by Fox-IT, a security firm that published a blog post highlighting the malicious advertisements that users should try to avoid.

The malicious advertisements took various forms, including a film website and one which appears to be pornographic. All of the ads, when clicked on, would “exploit vulnerabilities in Java” and install malware on users’ computers. The domains behind the ads appear to be hosted in the Netherlands, where the culprit behind the hacking scheme is likely located.

Fox-IT theorized about just how productive the attack would prove to be fore the hackers, indicating that infections had begun on December 30th and continued, more or less unchecked, over the next few days. When Fox-IT discovered the issue on Friday – Yahoo was apparently unaware of the issue prior to the security firm’s discovery – roughly 300,000 users were seeing the fake ads in any given hour.

The security firm also estimated that only about nine percent of users seeing the ads clicked on them and were infected, a number that seems low, but still lands at 27,000 computers per hour. Over the weekend, the infections have largely been scaled back, thanks to a growing awareness among internet users about the issue and an effort by Yahoo’s security team to eradicate the dangerous advertisements. The overarching goal of the hack has not yet been revealed, but Fox-IT thinks that whoever is behind the attack may be using malicious software to gain access and control of Yahoo users’ computers and then selling that control to other internet lowlifes in an effort to build profit.

Regardless if what these internet criminals want, the Washington Post saw the Yahoo attack as proof that Java needs a security overhaul. The software, which the Post says was originally developed as “a way to make websites more interactive,” has become a security liability since being replaced by Flash and JavaScript. Hackers know how to manipulate vulnerabilities in Java to gain access to computers, and users need to be especially careful if their computer still uses the software.