Malvertising Attack Hits Top Australian Classified Site

Tuesday, March 29, 2016

InfosecIsland News

Ffc4103a877b409fd8d6da8f854f617e

Free classified advertising site Gumtree was hit by a malvertising attack that resulted in users being exposed to the Angler exploit kit (EK), researchers at Malwarebytes say.

Gumtree is a subsidiary of eBay and enjoys high popularity in the United Kingdom, Australia, and South Africa. In fact, it is the leading local classified site in Australia, with over 47.8 million monthly visits.

The attack was possible because cybercriminals managed to hack the account of an Australian legal firm called Concisus Legal, which allowed them to create a legitimate looking but fraudulent subdomain off their main server, Malwarebytes’ Jérôme Segura explained in a recent blog post.

Not only did the rogue domain (ads.concisus.com.au) look very similar to the original one (concisus.com.au), but attackers also served their fraudulent advert over HTTPS, Segura said. 

To carry out their attack, the bad actors used the company’s logo and some text from their website and created an ad banner. Next, they approached ad networks and claimed to be looking to advertise under the disguise of the victims they abused.

The security researchers discovered that the malicious ad was served to gumtree.com.au through the sin1.g.adnxs.com ad network, but that it came from ads.concisus.com.au, which was the rogue advertiser. The ad was packed with the Angler EK, which has been historically dropping a wide range of payloads, including ransomware and banking Trojans.

The security firm reported the incident to AppNexus and says that the company responded within minutes and deactivated the rogue account. The abused Australian law firm was also informed on the breach.

Malwarebytes researchers also explain that cybercriminals are able to trick the ad industry and carry out attacks in stealthy ways by alternating between clean and malicious versions of the same ad banner. They also use a fingerprinting approach aimed at detecting machines that run certain security tools or network packet captures.

Lately, crooks have been targeting major websites with their malvertising campaigns, in an attempt to expose as many victims as possible to their malware. Such was the case with a recent campaign that affected top global sites, as well as last year’s attack that hit the Yahoo! advertising network and redirected users to pages hosting the Angler EK.

7945
Viruses & Malware
Post Rating I Like this!
The views expressed in this post are the opinions of the Infosec Island member that posted this content. Infosec Island is not responsible for the content or messaging of this post.

Unauthorized reproduction of this article (in part or in whole) is prohibited without the express written permission of Infosec Island and the Infosec Island member that posted this content--this includes using our RSS feed for any purpose other than personal use.