Yahoo users who searched the Web for erectile dysfunction medication may have inadvertently enriched a Russian cybercriminal in a hack that shows unparalleled intrusion into a technology giant’s infrastructure, information security experts say.
Alexsey Belan, a hacker included on the FBI’s “most wanted” list, is accused of manipulating Yahoo search results in an attempt to drive more people to an online pharmacy paying him for referrals.
Companies trying to game search results by altering headlines and keywords on their own webpages isn’t new. But a hacker attaining access to a search engine’s back end to tinker with the results could be unprecedented. Belan allegedly got into Yahoo’s network through undisclosed means in 2014 and began redirecting traffic that year. He didn’t get knocked out of Yahoo’s systems until late last year.
“You wouldn’t think that one or two people who break in could go in and undermine a search engine,” said Bryan Seely, a security researcher who has discovered flaws in Google Maps and LinkedIn. “There’s no way it should have been that simple. I can’t imagine how many problems would have had to exist for them to be able to do that.”
In some sense, exploiting search results was minor compared to what Belan and his accused co-conspirators allegedly did inside Yahoo. The Department of Justice announced Wednesday that the Russian hacking team breached thousands of Yahoo e-mail accounts, scanning them for credit card numbers and national security intelligence. The hackers could have intruded on as many as 500 million accounts.
But the search engine is Yahoo’s foundation. And losing control of it further scars the reputation of the beleaguered company and its chief executive, Marissa Mayer, who has faced scrutiny for not doing more to bolster the company’s online defenses.
It’s unclear whether Belan redirected users to a fraudulent search results page or instead changed the ranking for the online pharmacy with which he partnered. Yahoo declined to comment.
To cybersecurity experts, the company was a victim of its age. Founded in 1995, more than three years before Google, the company’s systems may have been poorly built and maintained. Overhauls aren’t cheap, said Von Welch, director of Indiana University’s Center for Applied Cybersecurity Research, and many security gaps were left in place.
“They’re big and old, and from a technology standpoint, that’s difficult to manage,” he said.