In case you weren’t already aware that Flash is useless trash that you should disable immediately, consider the sad tale of last week’s malvertising attack on Yahoo.
Hackers bought ads on Yahoo’s sprawling ad network, but the ads used malicious code to hijack the computers of people with old versions of Flash on Windows.
Yahoo shut down the attack yesterday, but starting July 28, hackers orchestrated a large-scale scheme to take advantage of Flash’s horrible security, which regularly leaves gaping vulnerabilities unfixed. The same kind of attack happened to Google’s ad network earlier this year.
The New York Times described how hackers made money off the sketchy campaign (and how the poor Flash-using schmucks lost it):
From there, the malware hunted for an out-of-date version of Adobe Flash, which it could use to commandeer the computer — either holding it for ransom until the hackers were paid off or discreetly directing its browser to websites that paid the hackers for traffic.
Security company Malwarebytes discovered the attack, and its researcher Jérôme Segura noted that Yahoo.com receives 6.9 billion visitors a month, meaning the hackers had access to a lot of potential Flash patsies. Yahoo hasn’t confirmed the size of the attack, but whatever the final numbers are, let this be a reminder to disable Flash.