A few days before CES 2014, security researchers discovered that Yahoo was unknowingly distributing malware via the ads displayed on its home page, with as many as 2 million European users at risk of having been infected in the four days hackers exploited holes in the company’s Java-based ad network. Some of the affected computers were transformed into improvised Bitcoin miners to gather the cryptocurrency for the hackers responsible. Yahoo was not very forthcoming about the issue, and it only offered limited details about the attack, without specifying how many users were infected or helping any of them deal with the matter, The Guardian reports.
“From December 31 to January 3 on our European sites, we served some advertisements that did not meet our editorial guidelines – specifically, they spread malware,” the company said in a statement. “We will continue to monitor and block any advertisements being used for this activity. We will post more information for our users shortly.”
Meanwhile, Yahoo made several announcements at CES 2014 during its media event, although it did not address this security matter. The company had to deal with a similar PR mess just recently when it failed to properly acknowledge a Yahoo Mail downtime that affected many customers for an extended period of time.
According to security firms, the malware that took advantage of a Java flaws in Yahoo ads infected some 27,000 machines per hour during the four days it was active on the site. Some of the malware programs delivered via ads can steal banking information, hijack the data for ransom, control the browser of the computer to click on certain ads or include the machine into a botnet that can be used for various purposes.
In order to mine the popular digital currency Bitcoin, extensive computer use is required. Hackers have apparently been able to harvest the computing power of thousands of machines without users knowing it in order to mine for Bitcoin. Thus, attackers did not have to spend any money for the expensive equipment or electricity required for mining. Because Bitcoin mining is more profitable on “stolen computers with stolen energy,” similar attacks are expected in the future.