Yahoo, Inc.’s advertising network has been found to be unknowingly serving malicious code that may have seen millions of visitors to Yahoo properties hacked.

The attack, which is reported to have started on July 28, saw malware that exploited Flash vulnerabilities delivered via advertising to over a staggering 7.5 billion visits, a number believed to make it the one of the largest attacks of its sort ever seen.

Malwarebytes Corp., the company that exposed that Yahoo was being targeted, said the company is the latest victim of a singular group that has been involved in a number of large-scale “malvertising” campaigns of this sort, including more recently targeting the website of celebrity chef Jamie Oliver.

Utilizing the popular, among hackers, Angler Exploit Kit, the group of hackers purchased ads across Yahoo’s main properties to deliver the malicious ads, and when those ads were displayed, the malware code was automatically downloaded without the need for the user to have clicked on the ad.

Once injected into the victims computer (Windows only), the malware looks for an out-of-date version of Adobe Flash which can be utilized to take control of the computer, with any number of various outcomes, from ransomware attacks through to banking trojans or even additional advertising fraud software all able to be installed on the controlled computer.

“Right now, the bad guys are really enjoying this,” Malwarebytes security researcher Jérôme Segura told The New York Times. “Flash for them was a godsend.”

Yahoo responds

Unconfirmed reports suggest that some Yahoo properties were offline briefly on Monday after the company became aware of the issue, although Malwarebytes notes that the attack is still ongoing.

In a statement, Yahoo was rather contrite, noting that this is not a problem specific to them alone, before making a number of motherhood statements that didn’t reference this specific attack:

“Yahoo is committed to ensuring that both our advertisers and users have a safe and reliable experience. As soon as we learned of this issue, our team took action and will continue to investigate this issue.

Unfortunately, disruptive ad behavior affects the entire tech industry. Yahoo has a long history of engagement on this issue and is committed to working with our peers to create a secure advertising experience. We’ll continue to ensure the quality and safety of our ads through our automated testing and through the SafeFrame working group, which seeks to protect consumers and publishers from the potential security risks inherent in the online ad ecosystem.”

In a separate statement to PC Magazine, Yahoo claims to have since blocked the malicious advertiser from its network versus saying it had blocked the code (it’s not hard to set up a new account,) and further declined to say how many users were affected by the attack before claiming that “the scale of the attack was grossly misrepresented in initial media reports and we continue to investigate the issue.”

If you’ve visited a Yahoo property in the last week and you’re a Windows user, make sure your anti-virus software is up-to-date; the old adage applies here when it comes to exposure to nefarious code online: always practice safe internet.

Image credit:electronicfrontierfoundation/Flickr/CC by 2.0