Internet publishing ‘adblocking analytics' specialist PageFair has described details of a hack it experienced over the Halloween weekend that it says it recovered from inside a comparatively speedy 83 minutes.
PageFair said that only a fraction of the publishers it works with were at risk of being harmed by the malvertising attack. “We have established that 501 publishers were affected during the 83 minute period. Most of these publishers are small, with 60 percent having less than one million page views per month, and 90 percent having less than ten million page views per month.”
Publishers use PageFair to measure the cost of adblocking and to display alternative non-intrusive advertising to adblockers. The firm says that it recognises that visitors need to defend themselves from distracting, intrusive, inappropriate, disingenuous or malicious advertising and that the rise of adblocking is now leading to the death of quality free websites.
Publishers using the site's free service on Windows-based machines would have, for the duration of the attack, been prompted to download an executable file. PageFair details the compromise, but has not specified how many users it thinks might have been affected.
“We are directly notifying every publisher who had our code deployed during [the time period of the attack],” says the company.
Shape of the attack vector
In terms of the attack, hackers succeeded in executing a spearphishing attack that provided access to a key email account. The attackers then immediately performed a password reset to hijack PageFair's account on a Content Distribution Network (CDN) service.
Blanchfield explains that his team noticed the security breach within just five minutes, but it took 83 minutes to fully rectify the situation. After this time visitors were no longer affected.
SCMagazineUK.com spoke directly to PageFair's Blanchfield on this story to address the outstanding issues.
Blanchfield explained his firm's stance: “Although we noticed the intrusion immediately, the attackers had a plan that we needed to figure out. Within 10 minutes the relevant staff were on the case, and within 30 minutes we had begun to mitigate the attack.
A comment made to look as if it was from security journalist Brain Krebs was left on PageFair's own blog story detailing this attack. It simply said, “I saw this coming.”
Michael Sutton, CISO at Zscaler, told SCMagazineUK.com that PageFair should be commended for being open and transparent about what happened and others should take note.
“It is a stretch to call this a ‘sophisticated' attack as it began with spearphishing. It is concerning that PageFair would maintain an account as critical as the one used to access their CDN without two-factor authentication, which could have prevented this attack,” Sutton said.
“Once the attackers had gained access to the PageFair CDN, they were free to serve the content of their choosing to all websites relying on PageFair to track ad blockers,” he said.
“The attack was an effective one from a social engineering standpoint as impacted users were prompted to download what they believed was an Adobe Flash update, a common occurrence, but in reality, they were downloading a botnet Trojan. At present, only about half of the major antivirus vendors have signatures in place to combat this threat,” said Sutton.
PageFair has acknowledged the assistance of The Media Trust, a security-as-a-service firm that provides continuous security and insight into the digital ecosystem.