New malvertising attacks via anti Ad-Blocking providers
PageFair hacked and used to deliver malware through ad publishers
This file was downloaded from a webserver running on the IP address 220.127.116.11, but, according to F-Secure, the malware was hosted on more webservers across the Internet. The C&C (Command-and-Control) server used by the specific sample related to PageFair’s incident was alotpro2.dynu.com (IP address 18.104.22.168), and the communication was made through the destination port 9994/tcp.
The consequences of the cyber attack against PageFair could have been very problematic, as they reportedly provides anti Ad-Blocking services for more than 3,000 websites. According to F-Secure, some hit statistics point out that the company is ranked higher than other well-known domains, like flickr.com, spotify.com and paypal.com. From PageFair’s statement, the malicious code was delivered to 501 publishers, during the 83 minutes of the attack. Among these, 40% have more than 1 million page views3 per month, what is a worrisome number. But it could have been worse, if the company had taken longer to respond to the incident. After a preliminary analysis, PageFair added that only 2.3% of users visiting these 501 affected publishers would have risked to be infected, also during the time the attack remained active.
The official PageFair’s webpage on this incident containing details and statistics can be accessed on the following URL:
On November 03rd, the developer of NanoCore has posted a message on Twitter announcing that the product’s account used in the attacks was terminated. A direct communication sent to PageFair and disclosed later stated this should prevent infected users from being remotely controlled by the attackers, even though the malicious software is still running on an infected computer.
Although this cyber attack can be considered sort of an ‘innovation’ — as it targeted a third-party provider, not the ad publishers themselves — it could have very probably been avoided, if 2FA (Two-Factor Authentication) mechanisms were properly activated. In a reply to a user’s comment on PageFair’s incident webpage, the company admitted that no 2FA mechanism was activated on their compromised MaxCDN account before the incident. They stated that this account used a ‘very strong, unique and securely stored password that was used only for this account’ [sic], but they agreed this was irrelevant since the hackers gained access to the associated e-mail account, which enabled them to receive the ‘password reset’ e-mail message.
As already previously stated on other security reports from Tempest, it is worth mentioning that any process and company involved in the management of critical systems should undergo periodic security audits, penetration tests and compliance inspections, and must already have deployed 2FA (Two-Factor Authentication) or stronger authentication mechanisms, especially (but not only) on systems that are accessible over the Internet. This must include any outsourced organisations. Another good advice would be to use 2FA mechanisms — whenever and wherever possible — not only to protect ‘authentication’ attempts, but also to ‘authorize’ operations that modify the state of the protected system, for instance: a banking transaction that withdraws money; a change in a critical DNS resolution property; the publication of a new story on a media outlet portal; etc.