It was discovered on Friday, but it may have been going on for a week. Adverts on Yahoo have been infecting users’ computers with malware and may have been turning them into zombies for use in further criminal activity.
It is a blow to Yahoo, which has been struggling in recent months and losing market share to its own business partner Microsoft. A series of outages in December – apparently caused by a hardware problem – left users frustrated, as did problems with Yahoo's free email service. There has even been speculation about the survival of CEO Marissa Mayer, despite the praise she received early in her tenure for turning the struggling company’s fortunes around.
“At Yahoo, we take the safety and privacy of our users seriously," said Yahoo in a statement released on Saturday. "We recently identified an ad designed to spread malware to some of our users. We immediately removed it and will continue to monitor and block any ads being used for this activity.”
It is still not known where or how the problem originated. Most observers think Yahoo’s servers must have been hacked, but others have suggested that the malware may have simply slipped past Yahoo’s security systems by looking like ordinary advertising material. Java, which Yahoo still uses for this purpose despite other companies increasingly moving away from it, is known to have weaknesses in this area. The simplest way to reduce the risk from malware such as this is to disable Java, which is an option in most browsers.
Yahoo estimate that around 27,000 users per hour were being infected while the malware was in place. Those who clicked on ads there between Christmas and yesterday should watch out for unusual behavior in their computers, especially slowing down or unexpected reductions in available memory, as this could be a sign that their computers have been zombified and are being used by someone else.
The big problem for Yahoo is that this incident may leave people disinclined to click on its ads, meaning that marketers will be disinclined to place their ads there. This could potentially result in a serious loss of revenue at a time when the search engine is already vulnerable. Yahoo may have to overhaul its security system in order to restore confidence. At this point there are no signs that legitimate advertisers have lost money as a result of the attack itself, but anyone relying heavily on advertising on Yahoo would be well advised to work on a back-up plan.