Incident Details

Incident: Yahoo Malvertising Attack via Adobe Flash on Windows Systems.

Published Date: 2015-08-04

Postmortem Analysis
Timeline	1. The software failure incident of the malvertising attack on Yahoo's ad network happened in July 2015 ([38971], [39160]). (Note: The incident occurred in July 2015 as per the articles provided.)
System	1. Adobe Flash - A bug in Adobe Flash was leveraged in the malvertising attack on Yahoo's ad network, leading to the distribution of malware to visitors of Yahoo's sites [38971, 39160].
Responsible Organization	1. Malwarebytes [Article 38971, Article 39160] 2. Yahoo's ad network [Article 38971, Article 39160] 3. Adobe Flash [Article 38971, Article 39160]
Impacted Organization	1. Users who visited Yahoo's popular family of sites [38971, 39160] 2. Windows computer users who visited the infected ads on Yahoo's sports, news, and finance sites [38971]
Software Causes	1. The software cause of the failure incident was a bug in Adobe Flash that was leveraged by the attackers to send malicious code to users' computers [38971, 39160]. 2. The malvertising campaign exploited a vulnerability in Adobe Flash to deliver malicious adverts and attempt to install malware on users' computers [39160].
Non-software Causes	1. The malvertising attack leveraged a vulnerability in Adobe Flash, a graphics program with a history of security problems [38971, 39160]. 2. The attack exploited weaknesses in multisite ad networks, allowing advertisers to algorithmically buy slots on major websites [39160].
Impacts	1. The software failure incident led to the distribution of malware to computers of users who visited Yahoo's popular family of sites, potentially compromising their security and privacy [38971, 39160]. 2. The attack exploited a vulnerability in Adobe Flash, highlighting the risks associated with using outdated software with known security issues [38971, 39160]. 3. The incident raised concerns about the security of online advertising systems and the potential for malicious actors to use malvertising to target users on legitimate websites [38971, 39160]. 4. The attack affected a significant number of users given the high traffic volume on Yahoo's websites, although the exact number of impacted individuals was not disclosed [38971, 39160]. 5. The incident underscored the challenges faced by multisite ad networks in preventing the spread of malware through online advertisements, emphasizing the need for improved security measures in the digital advertising ecosystem [39160].
Preventions	1. Regularly updating software: Keeping software up to date, especially vulnerable programs like Adobe Flash, could have prevented the exploit that was leveraged in the malvertising attack [38971, 39160]. 2. Implementing stricter ad network security measures: Strengthening the security protocols within ad networks to detect and prevent malicious ads from being served to users could have mitigated the risk of malvertising attacks [38971, 39160]. 3. Enhanced automated testing of ads: Utilizing more robust automated testing processes for advertisements to identify and block potentially harmful content before it reaches users could have helped in preventing the dissemination of malware through ads [39160].
Fixes	1. Updating Adobe Flash to patch the vulnerability exploited by the attackers could help fix the software failure incident [38971, 39160]. 2. Implementing stricter ad network security measures to prevent malicious ads from being served to users could mitigate the risk of similar malvertising attacks in the future [38971, 39160]. 3. Enhancing automated testing of ads and participating in initiatives like the SafeFrame working group to ensure the quality and safety of ads displayed on websites could contribute to preventing such incidents [39160].
References	1. Malwarebytes [Article 38971, Article 39160] 2. Yahoo spokesperson [Article 38971] 3. The New York Times [Article 38971] 4. The Washington Post [Article 38971] 5. Apple blogger John Gruber [Article 39160]

Software Taxonomy of Faults

Category	Option	Rationale
Recurring	one_organization, multiple_organization	(a) The software failure incident related to malvertising using a vulnerability in Adobe Flash has happened again at Yahoo. In the past, Yahoo experienced a similar incident where attackers used a flaw in Java to install software [38971, 39160]. (b) The incident involving malvertising exploiting a vulnerability in Adobe Flash has also occurred at other organizations. The weakness in Adobe Flash has been exploited in the past by attackers targeting major websites through multisite ad networks [39160].
Phase (Design/Operation)	design, operation	(a) The software failure incident reported in the articles can be attributed to the design phase. The incident was caused by a bug in Adobe Flash, a graphics program with a history of security problems. The attackers leveraged this bug to send malicious code through Yahoo's ad network to visitors of legitimate sites, including Yahoo's sports, news, and finance sites [38971, 39160]. (b) Additionally, the failure incident can also be linked to the operation phase. The attack involved malvertising, where the attackers bought digital ad space on Yahoo's websites to serve up malicious software to visitors. Users did not have to interact with the ads; simply browsing the affected pages was enough to potentially infect their computers. This highlights the risk associated with the operation of online advertising systems and the vulnerability of users while browsing websites with ads [38971, 39160].
Boundary (Internal/External)	within_system, outside_system	(a) within_system: The software failure incident involving Yahoo's ad network sending malware to users' computers was primarily due to a bug in Adobe Flash, a component within the system that had a history of security problems [38971, 39160]. The attack leveraged this vulnerability within the system to deliver malicious software to visitors of legitimate sites, including Yahoo's own sites. (b) outside_system: The attack was initiated by malicious actors who bought up digital ad space to serve up the malicious software, taking advantage of the online advertising system that supports much of the Web [38971, 39160]. This external factor of malicious actors exploiting the ad network system contributed to the software failure incident.
Nature (Human/Non-human)	non-human_actions, human_actions	(a) The software failure incident in the articles was primarily due to non-human actions. The incident was caused by a malvertising campaign that exploited a vulnerability in Adobe Flash to deliver malicious software to visitors of Yahoo's websites [38971, 39160]. The attack leveraged a bug in Adobe Flash, a graphics program with a history of security problems, to send malicious code to users' computers without requiring any action from the users themselves [38971]. This type of attack, known as "malvertising," takes advantage of the online advertising system to serve up malware to visitors of legitimate sites [38971]. (b) While human actions were involved in the sense that the attackers intentionally purchased advertising space on Yahoo's websites to deliver the malicious ads, the root cause of the software failure was the exploitation of a vulnerability in Adobe Flash, which is a non-human factor [38971, 39160]. The attackers used the weakness in Adobe Flash to attempt to install malware on users' computers, highlighting the importance of addressing software vulnerabilities to prevent such incidents [39160].
Dimension (Hardware/Software)	software	(a) The software failure incident related to hardware: - The incident involved a malvertising attack that leveraged a bug in Adobe Flash, a software program [38971]. - The attack sent malicious code to Windows computers through infected ads, exploiting an out-of-date version of Flash to potentially hijack the computer [38971]. - The attack did not require users to do anything other than browse to a page featuring the malicious advertisements, indicating that the hardware itself was not the direct cause of the failure [38971]. (b) The software failure incident related to software: - The malvertising campaign targeted Yahoo users by delivering malicious adverts through the company's websites [39160]. - The attack attempted to exploit a vulnerability in Adobe Flash to install malware on users' computers, highlighting the weakness of multisite ad networks in filtering out malware before reaching end-users [39160]. - The incident underscores the importance of addressing software vulnerabilities, such as those in Adobe Flash, to prevent similar attacks in the future [39160].
Objective (Malicious/Non-malicious)	malicious	(a) The software failure incident in the articles is malicious in nature. Malware was sent to users' computers through Yahoo's ad network as part of a malvertising attack orchestrated by a malware company [38971, 39160]. The attack aimed to install malicious software on users' computers without requiring any user interaction, highlighting the malicious intent behind the incident.
Intent (Poor/Accidental Decisions)	poor_decisions	(a) The intent of the software failure incident: - The software failure incident involving Yahoo's ad network sending malware to users' computers was not due to accidental decisions but rather poor decisions. The incident was a result of malicious actors buying up digital ad space on Yahoo's websites to serve up malicious software to visitors [38971, 39160]. - The attackers leveraged a bug in Adobe Flash, a known program with a history of security problems, to exploit users' computers [38971, 39160]. - The attack was a deliberate malvertising campaign aimed at installing malware on users' computers without requiring any user interaction [39160]. - Yahoo's response to the incident included blocking the advertiser from their network and emphasizing the need for a secure advertising experience [38971]. - The incident highlighted the weakness of multisite ad networks and the challenges in filtering out malware before it reaches end-users [39160].
Capability (Incompetence/Accidental)	development_incompetence	(a) The software failure incident reported in the news articles can be attributed to development incompetence. The incident involved a malvertising attack on Yahoo's ad network, which sent malware to users' computers through malicious ads on Yahoo's popular sites. The attack leveraged a bug in Adobe Flash, a program with a history of security problems. The attackers took advantage of the online advertising system to serve up malicious software to visitors of legitimate sites, including Yahoo's sports, news, and finance sites [38971, 39160]. The incident highlights the risks associated with vulnerabilities in software programs like Adobe Flash and the potential consequences of not addressing known security issues. It also underscores the importance of maintaining professional competence in software development to prevent such attacks and protect users from malicious activities.
Duration	temporary	(a) The software failure incident in the articles was temporary. The incident involving Yahoo's ad network sending malware to users' computers lasted for about a week before it was resolved [38971]. Malwarebytes, the company that discovered the malvertising attack, alerted Yahoo about the malicious adverts, and Yahoo promptly pulled them from their websites [39160]. The attack leveraged a bug in Adobe Flash, which was exploited by the attackers to deliver the malware to users [38971].
Behaviour	value, other	(a) crash: The software failure incident in the articles did not involve a crash where the system loses state and does not perform any of its intended functions [38971, 39160]. (b) omission: The incident did not involve the system omitting to perform its intended functions at an instance(s) [38971, 39160]. (c) timing: The incident did not involve the system performing its intended functions correctly, but too late or too early [38971, 39160]. (d) value: The software failure incident in the articles involved the system performing its intended functions incorrectly, as it allowed malicious ads to deliver malware to users' computers [38971, 39160]. (e) byzantine: The incident did not involve the system behaving erroneously with inconsistent responses and interactions [38971, 39160]. (f) other: The software failure incident involved the system being exploited by malicious actors who used malvertising to deliver malware to users' computers through vulnerabilities in Adobe Flash [38971, 39160].

IoT System Layer

Layer	Option	Rationale
Perception	None	None
Communication	None	None
Application	None	None

Other Details

Category	Option	Rationale
Consequence	property, theoretical_consequence	(a) death: People lost their lives due to the software failure (b) harm: People were physically harmed due to the software failure (c) basic: People's access to food or shelter was impacted because of the software failure (d) property: People's material goods, money, or data was impacted due to the software failure (e) delay: People had to postpone an activity due to the software failure (f) non-human: Non-human entities were impacted due to the software failure (g) no_consequence: There were no real observed consequences of the software failure (h) theoretical_consequence: There were potential consequences discussed of the software failure that did not occur (i) other: Was there consequence(s) of the software failure not described in the (a to h) options? What is the other consequence(s)? The articles do not mention any consequences related to death, physical harm, impact on access to food or shelter, or impact on non-human entities due to the software failure incident. The primary consequence discussed in the articles is related to potential harm to users' computers, such as the installation of malware, ad fraud, and ransomware programs, as well as the exploitation of vulnerabilities in Adobe Flash to potentially hijack computers and mine bitcoins [38971, 39160]. The incident caused disruption and potential security risks for users but did not result in any reported physical harm or loss of life.
Domain	information, finance	(a) The software failure incident reported in the articles is related to the information industry. The incident involved Yahoo's popular family of sites, including sports, news, and finance sites, being targeted by a malvertising attack that sent malware to visitors' computers [38971, 39160]. (h) The incident also has implications for the finance industry as it involved the delivery of malicious adverts in an attempt to install malware on users' computers, which could potentially lead to financial fraud or ransomware programs [39160]. (m) Additionally, the incident is relevant to the technology industry as it highlights the risks associated with online advertising systems and vulnerabilities in software such as Adobe Flash [38971, 39160].

Sources

Yahoo ads accidentally spewed malware - The Washington Post - Published on: 2015-08-04
Article ID: 38971
Yahoo users hit by 'malvertising' campaign - The Guardian - Published on: 2015-08-05
Article ID: 39160

Back to List