Everything you need to know about Yahoo’s security breach
Over the weekend, news broke that tech giant Yahoo was serving advertisements that could allow hackers to gain control over users’ computers. That’s triggered concerns across the Internet about who’s at risk, how users can tell if they’ve been affected and what people can do about it. Here’s an explanation of what happned at Yahoo and how it might affect certain users.
Wait, Yahoo was serving serving up malware?
Yes. The security firm Fox-IT was the first to report the problem on Friday. Basically, users visiting yahoo.com were served ads from ads.yahoo.com. That part is normal. But some of those “advertisements” weren’t actually ads. They were malicious software that redirected visitors to a Web site that attempted to take over their computers. If successful, the malicious software, known as “malware,” can spy on you, collect passwords or credit card numbers, order your computer to automatically generate fraudulent pageviews for a third-party Web page to generate advertising revenue, or even hijack your computer to generate bitcoins.
This is big news because yahoo.com is the fourth most visited Web site in the world. There are also reports that the malicious ads were served to Yahoo Mail and Yahoo Messenger users. Based on a sample of traffic that Fox-IT studied, the compamy estimates that the malicious site received 300,000 visits per hour. “Given a typical infection rate of 9% this would result in around 27.000 infections every hour,” the firm wrote.
That sounds like a lot of people. How long were Yahoo advertisements redirecting to this malware?
Several days, at least. While Yahoo’s original statement to the press only highlighted Jan. 3, the day researchers posted information about the hack, Yahool later said it was “served between December 31 – January 3—not just on January 3.” Fox-IT says the attacks started even earlier, on Dec. 30. But it appears to be finished for now.
Does this affect me?
If you’re in the United States, probably not. A Yahoo spokesperson says that “users in North America, Asia Pacific and Latin America were not served these advertisements and were not affected, nor were “users using Macs and mobile devices.”
Well, I live in Europe and use a Windows PC.
Then if you used Yahoo services or visited pages featuring Yahoo-served ads within the last week you should probably get checked out. Running an anti-virus program is the best place to start.
So, I’m still not sure I understand what happened. Was Yahoo hacked?
Maybe. Ashkan Soltani, a security researcher and Washington Post contributor, says that these types of attacks are often are “the result of hacking an existing ad network.” But he also suggested another option: The perpetrators may have submitted the malicious software as an ordinary ad and managed to sneak it past Yahoo’s filters. Yahoo’s statement says it “served some advertisements that did not meet our editorial guidelines, specifically they spread malware.”
How, exactly, were these malicious ads able to compromise users’ computers?
The exploit kit deployed here uses vulnerabilities in Java, a plugin technology that was once hailed as a major step forward in making Web sites more interactive. But legitimate developers are now much more likely to use JavaScript (which is a separate technology) or Flash for that purpose. While the mainstream development world has largely abandoned Java, hackers have found its security flaws a convenient way to compromise less tech-savvy users.
Can I turn Java off?
You sure can. In fact, some browser vendors are already planning to block it. If you want to get a head start, you can disable it on your own.
So, who was behind this attack?
We don’t know yet. But Fox-IT says the hit “bears similarities to the one used in the brief infection of PHP.net in October 2013,” and that it was “clearly financially motivated.”
How is Yahoo handling this?
Not particularly well, from the looks of it. The confusion about how long malicious ads were served seems to suggest that the company had trouble measuring the full impact of the problem. Despite some statements to the press, Yahoo hasn’t posted anything to its official Tumbler explaining the problem to users. And it has been a rough couple of months for Yahoo on the technical side — including a major Yahoo Mail outage that left about a million users without access to their e-mail for days on end.
