Criminals recently used eBay-owned Australian online classifieds site gumtree.com.au to spread malware through online display ads.
Criminals posing as a legitimate Australian legal firm recently duped an online ad network into distributing banner ads through Gumtree.com.au that, if clicked, could likely have led to ransomware.
According security firm Malwarebytes, the attack attempted to lead Gumtree’s Australian visitors to a site hosting the Angler exploit kit, a malicious package that mostly exploits flaws in non-current versions of browsers and browser-plugins on Windows PCs to install malware.
The Angler exploit kit was recently used in a malicious advertising or “malvertizing” attack aimed at visitors of several mainstream news websites with billions of viewers. The sites served up ads that led to malware that steals banking credentials and so-called ransomware that encrypts files. Malvertizing attacks abuse the trust between ad networks that deliver ads and online publishers that want ads to install malware on the hardware of website visitors.
Gumtree.com.au visitors may have had their computers compromised if they clicked on an ad that appeared to be promoting Concisus Legal, an Australian Sydney CBD-based law firm.
Gumtree was not itself breached, however a third-party advertising firm that distributes ads on the site was duped into serving malicious display ads to it. Gumtree.com.au has over 45 million visits per month.
Malwarebytes chief security researcher, Jérôme Segura, told CSO Australia that attackers compromised the account of a web host panel the law firm had used to manage its website concisus.com.au. This allowed the attackers to register a related domain that was use in the attack.
"The perpetrators got a hold of their web hosting panel credentials and registered a sub domain without the owner's knowledge," Segura told CSO Australia.
The attackers then created an ad banner using logos from the law firm and then approached ad networks while posing as the law firm.
"This is very hard for ad networks to detect anything suspicious and this is how many fraudulent advertisers are able to get inside ad platforms and then conditionally (at night or weekends) serve malicious code hidden within the ad banner," said Segura.
To hide their intent from the ad networks, Segura said in a blogpost the attackers alternated between non-harmful and malicious versions of the same ad. The malicious version would, via the ad network, deliver content from a rogue domain that was very similar to the legitimate website, which in turn would lead them to the Angler exploit kit.
The attackers also served the malicious ads over an encrypted HTTPS connection and used evasion techniques to avoid machines running malware detection tools, such as those used by the security firm. Anyone else running a Windows machine would likely have been directed to a site that attempted to install credential stealing malware or ransomware.
Participate in this short survey on IT security strategies across the Australian market and go in the draw to WIN a 360Fly camera vailued at $689.