Stolen law firm creds, iconography, used to seed Angler.
Malware expert Jerome Segura says Australia’s most popular classifieds site, Gumtree.com.au, was serving the world’s most capable exploit kit to some of its millions of monthly visitors.
The site is Australia’s twelfth-most-popular website and last month attracted some 47.8 million views. Parent site eBay Australia scored 74.6 million views.
Segura says attackers hacked a Sydney legal firm and spun up a legitimate-looking subdomain from which to host the exploit infrastructure.
From there they flipped between legitimate and malicious advertisements to confuse ad market vendors.
“The rogue advertisers simply lifted the company logo and some text from their website to create what looks like a typical ad banner,” Segura says.
“They then approached ad networks and pretended to want to advertise under the disguise of the victims they abused.
“By alternating between clean and malicious versions of the same ad banner, these crooks can dupe the ad industry and carry out their attacks in stealthy ways.”
The attack will not be served when sandboxes and security tools like network packet capture are detected, in a bid to delay detection and subsequent take-down attempts.
Segura tipped off advertising spruiker AppNexus, which responded minutes later before closing the attack.
Attack flow on Gumtree.com.au.
It is unknown how many visitors were exposed, and what malware was dropped on those who were infected.
Users most at risk are typically those running un-patched machines chronically insecure code like Internet Explorer, Adobe Flash or Java.
Those users who are victim to Angler, the most capable and popular of the dynamic exploit kit market, can expect to be infected with malware including ransomware and banking trojans.
Malvertising continues to ruin the reputation of popular websites and drive visitors to use advertising and script blockers.
The attacks are so successful because it exploits weaknesses in the global online advertising structure where high-pace and low-profit margins leave little room for complex buyer and content integrity checks. ®
Sponsored: Speed up incident response with actionable forensic analytics