Researchers at Malwarebytes, an anti-malware software vendor, uncovered a large scale attack against Yahoo users through Yahoo's own advertising network. Malwarebytes notified Yahoo about it and the "malvertising" campaign is no longer in progress.
The attack was possible due to Flash vulnerabilities in unpatched versions of Flash, perhaps even the same vulnerabilities that got Mozilla to block Flash by default in its browser for a few days until Adobe released the patch. Not all Flash users have updated to the latest version, though, which means they are still vulnerable to these highly dangerous security holes.
Yahoo owns large Web properties with an estimated 6.9 billion visits per month in total, according to data from SimilarWeb, which means even if a small percentage of those visits resulted in malware installation on the users' PCs, it could still affect millions of people.
Malvertising is particularly dangerous because it requires no action from the user, and it can download and install itself automatically on the user's PC (assuming the user is on a Standard account and not an Administrator one, and the User Account Control protection is weak enough to be bypassed, or the malware uses local privilege escalation zero-days).
The malware can also install "ransomware" on users' PCs and lock their files until the users pay the criminals.
Kowsik Guruswamy, CTO for Menlo Security, has a few pointers for how to protect yourself against this type of malware.
Disable Flash on your endpoints. This can be like cutting off your fingers to avoid getting splinters, but if the splinters are bad enough, maybe it's what you need to do.Isolate your Web traffic so that malicious content never reaches your endpoint. The Menlo Security Isolation Platform does that. Continue browsing the Web with Flash enabled and hope you dodge the inevitable bullet.He also added that, "The inconvenient truth about the Web is that it's dangerous and it's not the kind of place you should go without effective protection. There's no way to stop cyber criminals from attacking, and there's no way to detect and stop all of their attacks. The only way to be safe is to execute *all* Web content away from your endpoint so it can't do harm even if it's malicious. That's what isolation security is all about, and it seems pretty clear that its time has come."
Yahoo users could also use a browser that sandboxes and patches Flash automatically, such as Chrome.