New malvertising attacks via anti Ad-Blocking providers

PageFair hacked and used to deliver malware through ad publishers

On October 31st, at around 23h52m (GMT time zone), the PageFair counter Ad-Blocking service was compromised by hackers through a SpearPhishing attack. According to a blog post1 made by the victim company itself, the cyber attack led to cyber criminals gaining access to a key corporate e-mail account, which was then used to perform a ‘password reset’ of another account on MaxCDN, a content delivery provider that was used to serve JavaScript analytics code to PageFair’s customers. These customers are publishers who rely on PageFair’s services to disable or mitigate Ad-Blocking tools installed on the computers of end users visiting websites that use ad networks.

The hackers modified the compromised CDN account to serve tampered, malicious JavaScript, which asked users to install a false Adobe Flash update that was a modified version of legitimate software, to be probably used as a botnet that targets users running the Windows platform. It was identified as NanoCore2 , a RAT (Remote Access Tool) that provides plugins related to network management, security and surveillance features. A screenshot of the tampered JavaScript code is shown below:

(malicious JavaScript code served to end users — image reproduced from F-Secure Labs blog)

As shown above, the malicious JavaScript was quite simple. It showed a pop-up alert and then redirected users’ browsers to download the file adobe_flashplayer_7.exe, which had the following SHA-1 checksum:

  • 6ad0393f506bc6e0a84f1325b3d75cca019c21bc

This file was downloaded from a webserver running on the IP address 184.173.28.170, but, according to F-Secure, the malware was hosted on more webservers across the Internet. The C&C (Command-and-Control) server used by the specific sample related to PageFair’s incident was alotpro2.dynu.com (IP address 45.35.34.148), and the communication was made through the destination port 9994/tcp.

According to PageFair, the compromise was noticed within 5 minutes, but it took 83 minutes (until 01h15m, in GMT time zone) for their staff to completely fix the incident. The company said that the malware was targeted ‘only’ [sic] at Windows users and added that not all users accessing websites that loaded their JavaScript analytics code, even during that 83 minutes before the situation was fixed, would have been affected. This is due to caching rules, which could have prevented some users from accessing the compromised CDN. Also, 33 minutes after the attack the PageFair staff has reconfigured their DNS settings to bypass the CDN, what would also have prevented ‘new’ users to access the compromised content. This change, however, could have taken up to 60 minutes to ‘completely propagate’, which is related to the TTL (Time-To-Live) value of their DNS settings.

Outlook

The consequences of the cyber attack against PageFair could have been very problematic, as they reportedly provides anti Ad-Blocking services for more than 3,000 websites. According to F-Secure, some hit statistics point out that the company is ranked higher than other well-known domains, like flickr.com, spotify.com and paypal.com. From PageFair’s statement, the malicious code was delivered to 501 publishers, during the 83 minutes of the attack. Among these, 40% have more than 1 million page views3 per month, what is a worrisome number. But it could have been worse, if the company had taken longer to respond to the incident. After a preliminary analysis, PageFair added that only 2.3% of users visiting these 501 affected publishers would have risked to be infected, also during the time the attack remained active.

The official PageFair’s webpage on this incident containing details and statistics can be accessed on the following URL:

On November 03rd, the developer of NanoCore has posted a message on Twitter announcing that the product’s account used in the attacks was terminated. A direct communication sent to PageFair and disclosed later stated this should prevent infected users from being remotely controlled by the attackers, even though the malicious software is still running on an infected computer.

Although this cyber attack can be considered sort of an ‘innovation’ — as it targeted a third-party provider, not the ad publishers themselves — it could have very probably been avoided, if 2FA (Two-Factor Authentication) mechanisms were properly activated. In a reply to a user’s comment on PageFair’s incident webpage, the company admitted that no 2FA mechanism was activated on their compromised MaxCDN account before the incident. They stated that this account used a ‘very strong, unique and securely stored password that was used only for this account’ [sic], but they agreed this was irrelevant since the hackers gained access to the associated e-mail account, which enabled them to receive the ‘password reset’ e-mail message.

As already previously stated on other security reports from Tempest, it is worth mentioning that any process and company involved in the management of critical systems should undergo periodic security audits, penetration tests and compliance inspections, and must already have deployed 2FA (Two-Factor Authentication) or stronger authentication mechanisms, especially (but not only) on systems that are accessible over the Internet. This must include any outsourced organisations. Another good advice would be to use 2FA mechanisms — whenever and wherever possible — not only to protect ‘authentication’ attempts, but also to ‘authorize’ operations that modify the state of the protected system, for instance: a banking transaction that withdraws money; a change in a critical DNS resolution property; the publication of a new story on a media outlet portal; etc.



1 Halloween Security Breach. Inside PageFair blog. 01 November 2015. [ voltar ]

2 Halloween RAT: NanoCore Served Via PageFair Service. F-Secure. 02 November 2015. [ voltar ]

3 Malware Served via Anti-Adblocking Service PageFair. SecurityWeek. 03 November 2015. [ voltar ]

Comentários
Aceita-se formatação à la TWiki. HTML e scripts são filtrados. Máximo 15KiB.

 
Enviando... por favor aguarde...
Comentário enviado com suceso -- obrigado.
Ele aparecerá quando os moderadores o aprovarem.
Houve uma falha no envio do formulário!
Deixei uma nota para os admins verificarem o problema.
Perdoe-nos o transtorno. Por favor tente novamente mais tarde.