Jerome Segura, a security researcher at Malwarebytes Labs, has announced that the company found Australia's most popular classifieds site, Gumtree.com.au, serving the Angler Exploit Kit to visitors.
According to numbers from Alexa, the site is Australia's eleventh most popular website. SimilarWeb estimates the website attracts nearly 50 million views a month.
Detailing an attack on a Sydney legal firm, Segura said the hackers set up a subdomain in the company's infrastructure which the attackers used to host the exploit kit. It was from there that they displayed both legitimate and malicious advertisements to confused advertising networks.
Explaining the attacker's tactics in a blog post, Segura said that, "the rogue advertisers simply lifted the company logo and some text from their website to create what looks like a typical ad banner," and went on to explain that, "They then approached ad networks and pretended to want to advertise under the disguise of the victims they abused. By alternating between clean and malicious versions of the same ad banner, these crooks can dupe the ad industry and carry out their attacks in stealthy ways."
Segura tipped off advertising bods AppNexus, who responded minutes later before closing the attackers account. It is unknown how many visitors were exposed, and what malware was sent to those who were infected by the exploit kit.
Those running unpatched machines with out of date operating systems, browsers and commonly insecure programs like Internet Explorer, Adobe Flash or Java are most at risk here. Those who are infected by the Angler Exploit Kit which has been dubbed as “the most capable and popular of the dynamic exploit kit market”, can be infected with malware ranging from ransomware to banking trojans.
Further encouraging the use of ad blockers by end-users, malvertising continues to ruin the reputation of large websites which turn a profit from adverts. Attacks of this kind are often successful because it hits an industry where where the high-pace and low-profit margins leave no time for complex buyer and content security checks.
Fraser Kyne, regional systems engineering director at Bromium spoke with SCMagazineUK.com and commented on the current ways which companies detect foul play, saying that, “this is further evidence of the futility of detection as a protection model, and how easily it can be fooled. This will become more common over time, and people are woefully unprepared to defend themselves if they continue to rely on detection and a defence-in-depth stack that does not include hardware isolation. Detection tools are not seen as a deterrent by attackers – by contrast, they are simply seen as a test rig to check your malware is ready to be sent into the wild”