Free classified advertising site Gumtree was hit by a malvertising attack that resulted in users being exposed to the Angler exploit kit (EK), researchers at Malwarebytes say.
Gumtree is a subsidiary of eBay and enjoys high popularity in the United Kingdom, Australia, and South Africa. In fact, it is the leading local classified site in Australia, with over 47.8 million monthly visits.
The attack was possible because cybercriminals managed to hack the account of an Australian legal firm called Concisus Legal, which allowed them to create a legitimate looking but fraudulent subdomain off their main server, Malwarebytes’ Jérôme Segura explained in a recent blog post.
Not only did the rogue domain (ads.concisus.com.au) look very similar to the original one (concisus.com.au), but attackers also served their fraudulent advert over HTTPS, Segura said.
To carry out their attack, the bad actors used the company’s logo and some text from their website and created an ad banner. Next, they approached ad networks and claimed to be looking to advertise under the disguise of the victims they abused.
The security researchers discovered that the malicious ad was served to gumtree.com.au through the sin1.g.adnxs.com ad network, but that it came from ads.concisus.com.au, which was the rogue advertiser. The ad was packed with the Angler EK, which has been historically dropping a wide range of payloads, including ransomware and banking Trojans.
The security firm reported the incident to AppNexus and says that the company responded within minutes and deactivated the rogue account. The abused Australian law firm was also informed on the breach.
Malwarebytes researchers also explain that cybercriminals are able to trick the ad industry and carry out attacks in stealthy ways by alternating between clean and malicious versions of the same ad banner. They also use a fingerprinting approach aimed at detecting machines that run certain security tools or network packet captures.
Lately, crooks have been targeting major websites with their malvertising campaigns, in an attempt to expose as many victims as possible to their malware. Such was the case with a recent campaign that affected top global sites, as well as last year’s attack that hit the Yahoo! advertising network and redirected users to pages hosting the Angler EK.