PageFair adblocking site 'recovers' from Halloween hack in 83 minutes

Web publishing analytics firm PageFair handles malicious JavaScript hack with deft response, lessons learned for all?

PageFair says it recovered from hack in 83 minutes
PageFair says it recovered from hack in 83 minutes

Internet publishing ‘adblocking analytics' specialist PageFair has described details of a hack it experienced over the Halloween weekend that it says it recovered from inside a comparatively speedy 83 minutes.

The Dublin-based startup was compromised by hackers, who succeeded in injecting malicious JavaScript code to execute on websites that run on the firm's core service.

PageFair said that only a fraction of the publishers it works with were at risk of being harmed by the malvertising attack. “We have established that 501 publishers were affected during the 83 minute period. Most of these publishers are small, with 60 percent having less than one million page views per month, and 90 percent having less than ten million page views per month.”

Publishers use PageFair to measure the cost of adblocking and to display alternative non-intrusive advertising to adblockers. The firm says that it recognises that visitors need to defend themselves from distracting, intrusive, inappropriate, disingenuous or malicious advertising and that the rise of adblocking is now leading to the death of quality free websites.

Publishers using the site's free service on Windows-based machines would have, for the duration of the attack, been prompted to download an executable file. PageFair details the compromise, but has not specified how many users it thinks might have been affected.

“We are directly notifying every publisher who had our code deployed during [the time period of the attack],” says the company.

Shape of the attack vector

In terms of the attack, hackers succeeded in executing a spearphishing attack that provided access to a key email account. The attackers then immediately performed a password reset to hijack PageFair's account on a Content Distribution Network (CDN) service.

According to PageFair CEO Sean Blanchfield, “[The hackers] modified the CDN settings so that instead of serving PageFair's JavaScript, it served malicious JavaScript. This intentionally harmful JavaScript prompted visitors to install a fake Adobe Flash update, which appears to be a botnet Trojan that targets Windows (more information on it is now available here). Although many virus scanners will have prevented this file from executing, others may not have been able to correctly detect it.”

Blanchfield explains that his team noticed the security breach within just five minutes, but it took 83 minutes to fully rectify the situation. After this time visitors were no longer affected.

SCMagazineUK.com spoke directly to PageFair's Blanchfield on this story to address the outstanding issues.

Blanchfield explained his firm's stance: “Although we noticed the intrusion immediately, the attackers had a plan that we needed to figure out.  Within 10 minutes the relevant staff were on the case, and within 30 minutes we had begun to mitigate the attack.

“Our soul searching has only begun, but it is clear that modern web pages are built on functionality from hundreds of third-party services accelerated via CDN, and that represents a very valuable target to hackers. To prevent this kind of attack becoming more widespread, we must all adopt a method of cryptographically signing and authenticating JavaScript code.”

A comment made to look as if it was from security journalist Brain Krebs was left on PageFair's own blog story detailing this attack. It simply said, “I saw this coming.”

Michael Sutton, CISO at Zscaler, told SCMagazineUK.com that PageFair should be commended for being open and transparent about what happened and others should take note.

“It is a stretch to call this a ‘sophisticated' attack as it began with spearphishing. It is concerning that PageFair would maintain an account as critical as the one used to access their CDN without two-factor authentication, which could have prevented this attack,” Sutton said.

“Once the attackers had gained access to the PageFair CDN, they were free to serve the content of their choosing to all websites relying on PageFair to track ad blockers,” he said.

“The attack was an effective one from a social engineering standpoint as impacted users were prompted to download what they believed was an Adobe Flash update, a common occurrence, but in reality, they were downloading a botnet Trojan. At present, only about half of the major antivirus vendors have signatures in place to combat this threat,” said Sutton.

PageFair has acknowledged the assistance of The Media Trust, a security-as-a-service firm that provides continuous security and insight into the digital ecosystem.