For seven days, hackers used Yahoo’s ad network to send malicious bits of code to computers that visit Yahoo’s collection of heavily trafficked websites, the company said on Monday.
The attack, which started on July 28, was the latest in a string that have exploited Internet advertising networks, which are designed to reach millions of people online. It also highlighted growing anxiety over a much-used graphics program called Adobe Flash, which has a history of security issues that have irked developers at Silicon Valley companies.
“Right now, the bad guys are really enjoying this,” said Jérôme Segura, a security researcher at Malwarebytes, the security company that uncovered the attack. “Flash for them was a godsend.”
The scheme, which Yahoo shut down on Monday, worked like this: A group of hackers bought ads across the Internet giant’s sports, news and finance sites. When a computer — in this case, one running Windows — visited a Yahoo site, it downloaded malware code.
From there, the malware hunted for an out-of-date version of Adobe Flash, which it could use to commandeer the computer — either holding it for ransom until the hackers were paid off or discreetly directing its browser to websites that paid the hackers for traffic.
“Attacking Yahoo’s visitors would be enormously profitable for criminals,” said Vadim Kotov, a malware researcher at Bromium Labs, a software company, who was not involved with uncovering this attack. “So it makes sense that you’d see this particular type of attack there.”
Attacks on advertising networks have been on the rise, Mr. Kotov and other researchers say. Hackers are able to use the advertising networks themselves, built for targeting specific demographics of Internet users, to find vulnerable machines.
While Yahoo acknowledged the attack, the company said that it was not nearly as big as Malwarebytes had portrayed it to be.
“We take all potential security threats seriously,” a Yahoo spokeswoman said in statement. “With that said, the scale of the attack was grossly misrepresented in initial media reports, and we continue to investigate the issue.”
“In terms of how many people were served a malicious ad, only Yahoo would really know,” Mr. Segura said. But he added: “This is one of the largest attacks we’ve seen in recent months.”
Neither company could say exactly how many people were affected.
After news of the attack was revealed, Adobe asked users to update Flash so their computers would no longer be vulnerable.
“The majority of attacks we are seeing are exploiting software installations that are not up-to-date on the latest security updates,” said Wiebke Lips, a spokeswoman for Adobe.