The website of the London Stock Exchange was hit by a drive-by-download attack over the weekend.
According to information security blogger Paul Mutton, writing on his 'High Severity' blog, the London Stock Exchange website was propagating malware to its visitors on Sunday. Visitors were infected by a rogue anti-virus that uses a software vulnerability to run native executable code on the victim's computer.
He said that the spoof program appears in the system tray and prevents other processes such as task manager to be run, falsely claiming that the user is infected with a virus. This malware also replaces the computer's wallpaper with a warning message.
It was later revealed that the malware was introduced via a third party advertising site used on the homepage via a 'malvertising' attack. “LSE have disabled the affected adverts, so all should be well now,” said Mutton.
He said that the infected page also led to Google's safe browsing diagnostic page confirming that malicious content was being served to the site's visitors. It said that of the 281 pages Google had tested on the site over the past 90 days, 65 pages resulted in malicious software being downloaded and installed without user consent. The site was also blocked by Chrome and Firefox, which both make use of Google's malware blocklist.
However, the London Stock Exchange denied that it was propagating malware. A spokesperson told SC Magazine that its website was not infected and that a third party provider called Unanimis, functioning as an intermediary for its website, was hit and the London Stock Exchange was one of many sites to be affected.
The spokesperson said: “We have had a lot of technology issues in the last few weeks and this is nothing to do with us. To be infected you have to go through our adverts to another site, so it is not the adverts on our website that are propagating malware, you had to click through to them.”
A statement from Unanimus, said: “Malware was detected on the Unanimis network which affected some advertisements on our network. Other than the banner advertisements in question, the malware does not impact or affect any other parts of a website. The affected advertisements have been removed and all sites continue to operate normally. For clarity the London Stock Exchange website was not impacted by this malware, not did it propagate malware.”
The spokesperson also pointed to a Google safe browsing report that confirmed that the website had not been affected by anything in last 90 days. The London Stock Exchange had previously informed Mutton that his blog was 'wholly inaccurate' because the LSE was not propagating malware, however he said that he strongly disagreed with the claim.
"The most obvious point is that simply visiting their homepage was enough to cause malware to be installed, with no need to click on anything. If their website includes content from other sites, which is designed to propagate malware, then transitively, their site will also be propagating malware," said Mutton.
“That is a fair and accurate claim to make, regardless of where the malware executables are actually hosted. In summary, if someone visits your homepage and it results in malware being downloaded and installed without the user having to do anything, then I believe it's fair to say that your website is propagating malware.”
The British stock exchange was in the headlines at the start of this month after it was reportedly the victim of a cyber attack on its headquarters last year.