Yahoo Users Hit By Malicious Ads
from the disable-java dept
There has been an unfortunately long history of malware attacks via ad networks, often created by hacking into networks, but sometimes just by sneaking in a legitimate-looking ad that that is able to then sneak in an exploit. Over the weekend, it came out that hundreds of thousands of Yahoo users in Europe were exposed to ads that automatically tried to install malware as part of an attempt to build a botnet. The exploit used security holes in Java (not Javascript, which, once again, we need to remind people is entirely different). It’s long been recommended that you turn off Java completely in your browser, so this is yet another reminder.
Still, for a company the size of Yahoo, this is pretty embarrassing. You expect smaller companies to get hit by this sort of thing. Yahoo is supposed to be better than that. Coming so soon after the company could barely seem to keep its email products online, suggests a company that is really struggling on the tech side. Of course, this shouldn’t be a huge surprise. We’d noted back when Yahoo decided to go all patent trolly and sue Facebook that it was going to damage its reputation. It’s tough to keep good techies around when you do things like that, and perhaps Yahoo could use a few good techies right about now.
Comments on “Yahoo Users Hit By Malicious Ads”
People still use Yahoo?
Re: Re:
Yes I use it every day.
I like the way they aggregate the news and allow anonymous user commentary.
I also am a paranoid internet user so I’ve got every conceivable ad blocker and tracker block installed.
So I never see their ads and I’m feeling good about that right now.
Re: Re: Re:
Paranoid Internet users do not use webmail hosted from 3rd parties, period.
Re: Re:
Yes, albeit with increasing reluctance. I haven’t got the time or the patience to track down every user account for forums and other web services and change my email address.
Re: Re:
I only use yahoo email because Verizon uses ‘Verzion Yahoo’ email accounts. It still ends in @verizon.net, but I have to login to it at yahoo’s website.
Re: Re: Re:
You have a myriad of email options. You don’t have to use the one that comes with your internet service. I don’t use mine (I never even check it), and personally know very few people who use theirs.
Re: Yahoo
I have been using Yahoo Mail for years and had few problems until the last few months. I have been trying to contact Yahoo Customer service for a week. 6 hours on the phone being repeatedly cut off. 3 emails a day to the address they give, their responses appear to be being sent to my yahoo mail account, which I can not access. My problem? They told me to reset my password, which I tried to do. ANY new password is too weak and the old one no longer works. I thought the big banks had bad customer service…
Another iFrame exploit strikes again! The crafty thing about iFrames is that they can create a window that’s only 1 pixel large. Kind of hard to see an window that small embedded in a webpage.
Then BOOM goes the trojan dynamite!
Re: Re:
NoScript does a very good job of stopping these types of exploits.
Nothing new...it was a matter of time...
I have been a Yahoo Mail user for years…and a number of years before you could log into your gmail account from it, the spam filter busted…
You now know the reason why the adblocker stays on, always. Yahoo! isn’t the first to have this problem nor will it be the last time it is heard about. It’s not just Yahoo! but any that serve ads.
Since it is a matter left up to me to fix and clean up if I get infected, ads and commercials simply aren’t worth allowing to show. It’s a security matter and I don’t care how bad they want money for ad viewing. They don’t show up to fix my computer that sometimes may take hours to straighten out. I see no value in allowing their ads through. I’ll move on rather than all them access, just because of this reason. Ads are never trustable.
The NSA also loves Yahoo for just that reason.
At the same presentation where Jacob Applebaum talked about the NSA’s bios and hardware hacking the slides specifically singled out Yahoo quite a few times. Probably because it’s a site with poor security that many non techies use.
http://www.youtube.com/watch?v=b0w36GAyZIA
Ad networks
That’s one of the problems with ad networks: Yahoo has no direct control over what ads get carried and may not know exactly who’s placing ads on their site. That’s one reason I’d never allow an ad network onto a site I run, I want to know who I’m dealing with and I can’t if there’s a middleman in between.
Question
I am pretty much a novice and I was just wondering; I use Jdownloader and it shows up in Task Manager as Java(TM) Platform SE Binary (32 bit). I use Firefox with Ad Block and DoNotTrackMe and I have the Java add on turned off. Is Jdownloader risky to use? By the way, DoNotTrackMe says there 9 trackers at this site. Google+1, Facebook Connect, Google Analytics, Twitter Badge, Reinvigorate, Comscore Beacon, Quancast, ChartBeat and ShareThis. WTF?
Re: Question
Jdownloader is a Java application, not a Java browser applet. I’m not sure why Java applets are so vulnerable nowadays (last time I dabbled in Java anything that might possibly cause trouble required valid certification and express permission from the end-user), but the news articles I’ve seen only mention Java used in browsers, so presumably Java applications and Android apps aren’t at risk.
http://noscript.net/
Upon reading this article, I absolutely had to. I had to check the Escapist (an online site dedicated to gaming and movie pop culture). A month or so ago, I left that site forever because one of the rules for their community forums was basically “Thou Shalt Not Talk About Ad-blockers Because They Are Illegal” (seriously, that was the justification they gave).
No article there, and something like this is usually up their alley. I was so tempted to leave a post in their forums, but ultimately decided not to.
Yahoo is a disaster
Those of us who have worked in the tech community for decades frequently talk to each other back-channel, because that’s how we actually get things done. Nearly all the time, we can find a way to communicate with our peers elsewhere — the people with their hands on the buttons and knobs behind the scenes.
This has become increasingly impossible to do with Yahoo. For example, attempts to reach anyone, ANYONE, with a clue in their email operation have failed completely. Responses are boilerplate, wrong, illiterate, irrelevant, or insane. Things that are obviously badly broken stay broken. Odd behavior is the norm, not the exception. Mail disappears all the time for no good reason. Queues back up and flush randomly. They keep changing their UI and confusing their users — it now sucks worse than ever. Their “spam filtering” is a terrible joke, it’s worse than useless.
And so on. The same things can be said about their web operations, their network operations — every technical aspect of Yahoo seems to be run by chimps on crack.
This isn’t an accident: it’s well-known that Yahoo routinely fires senior/experienced people because they’re expensive, and tries to replace them with junior/inexperienced people — who simply aren’t good enough to run the operation.
As a result, “using Yahoo” is right up there with “using Facebook” as one of the very stupidest things you can do on the Internet.
Re: Yahoo is a disaster
Are you saying the Yahoos are running Yahoo!
I use AdBlock, so that is not a problem. In addition to a good anti virus program, you also need to have AdBlock installed on your computer, to stop that ad-based malware before it can get into your system.
Yahoo email still does not work ...
so how do they expect to keep any customers for any ads to be seen?
Java, Javascript, Active X, I’ve disabled them all. I also have a good firewall set at maximum security.
I always review my firewall logs after a surfing session. One time I noticed several intrusion attempts from various different IPs all trying to get into my computer through the same port (port 16464). I wondered what’s so special about that port so I got back on the net and looked it up. Turns out that port is used by a botnet (Zero something-or-other). They still keep trying, but my firewall keeps ’em out.
Another case in favor of using Adblock everywhere.
I wish they'd DIY it
I used to work at a company that wanted to be able to track ads in 30 second intervals, where a “sponsor” company would be the only advert a user saw for the whole visit. The max charge/billing was 5 (or 15) minutes iirc… It was actually a creative way to do the ads, and all the ads being for the same company was consistent. None of the existing ad networks supported this model, so we rolled our own. It wasn’t very difficult and our billing was pretty transparent. The plus side is coming from the same set of servers they were less likely to be blocked, and not injection of scripts.
The ad frames themselves reported back, in addition to the parent. This gave us muck better insight than we got from ad networks. Too bad more sites don’t revert to this, especially big guys… Ad curating your own site is important, and as much as they can generate the likes of ad networks isn’t well curated.
From your own linked article about Yahoo/Facebook fighting over patents: ” You especially don’t go patent crazy if you want to retain top engineering talent.”
Do you have any actual references to this or is this hyperbole? I mean, it seems like common sense, but I imagine Engineers work based on incentive and personal preferences, and they might totally ignore lawyer cat-fights as a matter of principle.
Just seems like a strange uncorroborated statement to keep referencing without standing.