Yahoo Users Hit By Malicious Ads

from the disable-java dept

Mon, Jan 6th 2014 7:55pm — Mike Masnick

There has been an unfortunately long history of malware attacks via ad networks, often created by hacking into networks, but sometimes just by sneaking in a legitimate-looking ad that that is able to then sneak in an exploit. Over the weekend, it came out that hundreds of thousands of Yahoo users in Europe were exposed to ads that automatically tried to install malware as part of an attempt to build a botnet. The exploit used security holes in Java (not Javascript, which, once again, we need to remind people is entirely different). It's long been recommended that you turn off Java completely in your browser, so this is yet another reminder.

Still, for a company the size of Yahoo, this is pretty embarrassing. You expect smaller companies to get hit by this sort of thing. Yahoo is supposed to be better than that. Coming so soon after the company could barely seem to keep its email products online, suggests a company that is really struggling on the tech side. Of course, this shouldn't be a huge surprise. We'd noted back when Yahoo decided to go all patent trolly and sue Facebook that it was going to damage its reputation. It's tough to keep good techies around when you do things like that, and perhaps Yahoo could use a few good techies right about now.

Thank you for reading this Techdirt post. With so many things competing for everyone’s attention these days, we really appreciate you giving us your time. We work hard every day to put quality content out there for our community.

Techdirt is one of the few remaining truly independent media outlets. We do not have a giant corporation behind us, and we rely heavily on our community to support us, in an age when advertisers are increasingly uninterested in sponsoring small, independent sites — especially a site like ours that is unwilling to pull punches in its reporting and analysis.

While other websites have resorted to paywalls, registration requirements, and increasingly annoying/intrusive advertising, we have always kept Techdirt open and available to anyone. But in order to continue doing so, we need your support. We offer a variety of ways for our readers to support us, from direct donations to special subscriptions and cool merchandise — and every little bit helps. Thank you.

–The Techdirt Team

Filed Under: ads, malware
Companies: yahoo

25 Comments

If you liked this post, you may also be interested in...

Reader Comments

Subscribe: RSS

View by: Time | Thread

Alana (profile), 6 Jan 2014 @ 7:55pm

People still use Yahoo?
[ link to this | view in thread ]
Anonymous Coward, 6 Jan 2014 @ 8:18pm

Re:
Yes I use it every day.

I like the way they aggregate the news and allow anonymous user commentary.

I also am a paranoid internet user so I've got every conceivable ad blocker and tracker block installed.

So I never see their ads and I'm feeling good about that right now.
[ link to this | view in thread ]
Anonymous Coward, 6 Jan 2014 @ 8:31pm

Another iFrame exploit strikes again! The crafty thing about iFrames is that they can create a window that's only 1 pixel large. Kind of hard to see an window that small embedded in a webpage.

Then BOOM goes the trojan dynamite!
[ link to this | view in thread ]
Wally (profile), 6 Jan 2014 @ 8:33pm

Nothing new...it was a matter of time...
I have been a Yahoo Mail user for years...and a number of years before you could log into your gmail account from it, the spam filter busted...
[ link to this | view in thread ]
Anonymous Coward, 6 Jan 2014 @ 9:19pm

You now know the reason why the adblocker stays on, always. Yahoo! isn't the first to have this problem nor will it be the last time it is heard about. It's not just Yahoo! but any that serve ads.

Since it is a matter left up to me to fix and clean up if I get infected, ads and commercials simply aren't worth allowing to show. It's a security matter and I don't care how bad they want money for ad viewing. They don't show up to fix my computer that sometimes may take hours to straighten out. I see no value in allowing their ads through. I'll move on rather than all them access, just because of this reason. Ads are never trustable.
[ link to this | view in thread ]
Arthur Moore (profile), 6 Jan 2014 @ 9:51pm

The NSA also loves Yahoo for just that reason.
At the same presentation where Jacob Applebaum talked about the NSA's bios and hardware hacking the slides specifically singled out Yahoo quite a few times. Probably because it's a site with poor security that many non techies use.

http://www.youtube.com/watch?v=b0w36GAyZIA
[ link to this | view in thread ]
TKnarr (profile), 6 Jan 2014 @ 11:22pm

Ad networks
That's one of the problems with ad networks: Yahoo has no direct control over what ads get carried and may not know exactly who's placing ads on their site. That's one reason I'd never allow an ad network onto a site I run, I want to know who I'm dealing with and I can't if there's a middleman in between.
[ link to this | view in thread ]
Jake, 6 Jan 2014 @ 11:52pm

Re:
Yes, albeit with increasing reluctance. I haven't got the time or the patience to track down every user account for forums and other web services and change my email address.
[ link to this | view in thread ]
OldGeezer (profile), 7 Jan 2014 @ 1:30am

Question
I am pretty much a novice and I was just wondering; I use Jdownloader and it shows up in Task Manager as Java(TM) Platform SE Binary (32 bit). I use Firefox with Ad Block and DoNotTrackMe and I have the Java add on turned off. Is Jdownloader risky to use? By the way, DoNotTrackMe says there 9 trackers at this site. Google+1, Facebook Connect, Google Analytics, Twitter Badge, Reinvigorate, Comscore Beacon, Quancast, ChartBeat and ShareThis. WTF?
[ link to this | view in thread ]
Anonymous Coward, 7 Jan 2014 @ 3:17am

Re: Question
Jdownloader is a Java application, not a Java browser applet. I'm not sure why Java applets are so vulnerable nowadays (last time I dabbled in Java anything that might possibly cause trouble required valid certification and express permission from the end-user), but the news articles I've seen only mention Java used in browsers, so presumably Java applications and Android apps aren't at risk.
[ link to this | view in thread ]
Anonymous Coward, 7 Jan 2014 @ 3:25am

http://noscript.net/
[ link to this | view in thread ]
Rikuo (profile), 7 Jan 2014 @ 4:08am

Upon reading this article, I absolutely had to. I had to check the Escapist (an online site dedicated to gaming and movie pop culture). A month or so ago, I left that site forever because one of the rules for their community forums was basically "Thou Shalt Not Talk About Ad-blockers Because They Are Illegal" (seriously, that was the justification they gave).
No article there, and something like this is usually up their alley. I was so tempted to leave a post in their forums, but ultimately decided not to.
[ link to this | view in thread ]
Anonymous Coward, 7 Jan 2014 @ 6:10am

Yahoo is a disaster
Those of us who have worked in the tech community for decades frequently talk to each other back-channel, because that's how we actually get things done. Nearly all the time, we can find a way to communicate with our peers elsewhere -- the people with their hands on the buttons and knobs behind the scenes.

This has become increasingly impossible to do with Yahoo. For example, attempts to reach anyone, ANYONE, with a clue in their email operation have failed completely. Responses are boilerplate, wrong, illiterate, irrelevant, or insane. Things that are obviously badly broken stay broken. Odd behavior is the norm, not the exception. Mail disappears all the time for no good reason. Queues back up and flush randomly. They keep changing their UI and confusing their users -- it now sucks worse than ever. Their "spam filtering" is a terrible joke, it's worse than useless.

And so on. The same things can be said about their web operations, their network operations -- every technical aspect of Yahoo seems to be run by chimps on crack.
This isn't an accident: it's well-known that Yahoo routinely fires senior/experienced people because they're expensive, and tries to replace them with junior/inexperienced people -- who simply aren't good enough to run the operation.

As a result, "using Yahoo" is right up there with "using Facebook" as one of the very stupidest things you can do on the Internet.
[ link to this | view in thread ]
Chilly8, 7 Jan 2014 @ 6:38am

I use AdBlock, so that is not a problem. In addition to a good anti virus program, you also need to have AdBlock installed on your computer, to stop that ad-based malware before it can get into your system.
[ link to this | view in thread ]
Harold K, 7 Jan 2014 @ 6:48am

Yahoo email still does not work ...
so how do they expect to keep any customers for any ads to be seen?
[ link to this | view in thread ]
Anonymous, 7 Jan 2014 @ 6:51am

Java, Javascript, Active X, I've disabled them all. I also have a good firewall set at maximum security.
I always review my firewall logs after a surfing session. One time I noticed several intrusion attempts from various different IPs all trying to get into my computer through the same port (port 16464). I wondered what's so special about that port so I got back on the net and looked it up. Turns out that port is used by a botnet (Zero something-or-other). They still keep trying, but my firewall keeps 'em out.
[ link to this | view in thread ]
Anonymous Coward, 7 Jan 2014 @ 7:23am

Re:
I only use yahoo email because Verizon uses 'Verzion Yahoo' email accounts. It still ends in @verizon.net, but I have to login to it at yahoo's website.
[ link to this | view in thread ]
quawonk, 7 Jan 2014 @ 7:45am

Another case in favor of using Adblock everywhere.
[ link to this | view in thread ]
Tom Stone, 7 Jan 2014 @ 7:57am

Re: Yahoo
I have been using Yahoo Mail for years and had few problems until the last few months. I have been trying to contact Yahoo Customer service for a week. 6 hours on the phone being repeatedly cut off. 3 emails a day to the address they give, their responses appear to be being sent to my yahoo mail account, which I can not access. My problem? They told me to reset my password, which I tried to do. ANY new password is too weak and the old one no longer works. I thought the big banks had bad customer service...
[ link to this | view in thread ]
tracker1 (profile), 7 Jan 2014 @ 8:11am

I wish they'd DIY it
I used to work at a company that wanted to be able to track ads in 30 second intervals, where a "sponsor" company would be the only advert a user saw for the whole visit. The max charge/billing was 5 (or 15) minutes iirc... It was actually a creative way to do the ads, and all the ads being for the same company was consistent. None of the existing ad networks supported this model, so we rolled our own. It wasn't very difficult and our billing was pretty transparent. The plus side is coming from the same set of servers they were less likely to be blocked, and not injection of scripts.

The ad frames themselves reported back, in addition to the parent. This gave us muck better insight than we got from ad networks. Too bad more sites don't revert to this, especially big guys... Ad curating your own site is important, and as much as they can generate the likes of ad networks isn't well curated.
[ link to this | view in thread ]
Indy, 7 Jan 2014 @ 9:10am

Re: Re:
Paranoid Internet users do not use webmail hosted from 3rd parties, period.
[ link to this | view in thread ]
Indy, 7 Jan 2014 @ 10:13am

From your own linked article about Yahoo/Facebook fighting over patents: " You especially don't go patent crazy if you want to retain top engineering talent."

Do you have any actual references to this or is this hyperbole? I mean, it seems like common sense, but I imagine Engineers work based on incentive and personal preferences, and they might totally ignore lawyer cat-fights as a matter of principle.

Just seems like a strange uncorroborated statement to keep referencing without standing.
[ link to this | view in thread ]
Anonymous Coward, 7 Jan 2014 @ 10:35am

Re: Yahoo is a disaster
Are you saying the Yahoos are running Yahoo!
[ link to this | view in thread ]
John Fenderson (profile), 7 Jan 2014 @ 10:55am

Re: Re:
You have a myriad of email options. You don't have to use the one that comes with your internet service. I don't use mine (I never even check it), and personally know very few people who use theirs.
[ link to this | view in thread ]
John Fenderson (profile), 7 Jan 2014 @ 10:56am

Re:
NoScript does a very good job of stopping these types of exploits.
[ link to this | view in thread ]