Yahoo visitors hit by week-long malware attack

Yahoo has finally shut down a flaw that allowed a group of hackers to infect computers with malware for a full week using the firm's extensive ad network.

First reported by the New York Times, the scheme began on July 28 and involved hackers buying up ad space across Yahoo's sports, finance and news sites before using a flaw in Adobe Flash to take over computers.

Hackers bought ads and inserted malware code so that any computer visiting was infected. The wheels were then in motion as the malware looked for an outdated version of Adobe Flash in order to take control of the computer before either holding the user until money was forthcoming or directing the browser to a site that paid the hackers for traffic.

"Right now, the bad guys are really enjoying this," said Jérôme Segura, a security researcher at Malwarebytes, the security company that uncovered the attack. "Flash for them was a godsend."

Vadim Kotov, a malware researcher at Bromium Labs, added that attacking Yahoo, in particular, was "enormously profitable for criminals" but Yahoo has already come out to deny that the attack was as severe as the two companies reported.

Update Flash now

"We take all potential security threats seriously," said a Yahoo spokeswoman. "With that said, the scale of the attack was grossly misrepresented in initial media reports, and we continue to investigate the issue."

For its part, Adobe has told users to update Flash so computers aren't affected. Another flaw in Adobe Flash is hardly a surprise after a recent report from McAfee Labs highlighted the software platform as one biggest threats to users due to security issues that bring malware to the fore.

• Flash is dead: Youtube drops Flash in favour of HTML5