GeoEdge on Twitter
GeoEdge on Linkedin

© Copyright 2016 GeoEdge Ltd.  |  All rights reserved  |  Privacy Policy  |  Terms of Service

GeoEdge on Twitter

Latest Malvertising Attack Affects Major Sites: Insights from GeoEdge Security Lab

November 2, 2015

For those that don't know, our GeoEdge Security Lab utilizes a proactive monitoring system to help maintain a clean, safe, and engaging ad ecosystem. And yesterday, GeoEdge Security Lab noticed suspicious activity on popular web portals. This activity was due to a compromise in the PageFair analytics service – in their words 83 minutes worth.  

 

This malvertising attack lead users to a backdoor, which is malware that provides remote access to the user’s computer and information.  In this case, the user could see that a file was being downloaded, but for the backdoor to be executed, it needed user interaction. (Meaning, the user needed to run the file.)

 

GeoEdge Security Lab has determined that the malicious program involved in this malvertising attack appears to be the multi-purpose Noancooe backdoor. Read on further to see the exact details of this attack. 

 

The Targets
Among others, the following major websites were affected:

  • esquire.com

  • elle.com

  • cosmopolitan.com

  • popularmechanics.com

  • businessinsider.com

  • economist.com

  • parents.com

  • macrumors.com

  • dpreview.com

 

The Process
When users visited any of these sites, they got an alert in their browser window that their Flash Player plugin was outdated (see picture below). Whether the user pressed “OK” or “Escape”, they were redirected to a  http://{ip_address_redacted}/adobe_flashplayer_7.exe, where an executable file was served, and a visible download occurred.  

 

 

 
If the user chose to open and run this file, then the backdoor was installed – and the PC became part of a zombie network.

 
The Identity
This file has been identified by multiple AV engines as malicious. GeoEdge Security Lab has determined that the malicious program appears to be the multi-purpose Noancooe backdoor.

 

The Source
The source of the issue was a hijacked script from PageFair, a technology built to help publishers against ad blockers. PageFair has admitted that their CDN account had been compromised and has also published a post about it. 

 

 

 

The Right Steps

Often on this blog, we talk about the rise of malvertising and this is just one example of what is occurring in cyberspace. With one single attack, a brand’s reputation can be severely affected. And specifically in the case of a network or platform, it is not only their brand that is affected, but also the brand integrity of the sites that use their service. Publishers, platforms, etc. need third-party solutions to monitor their sites to prevent them from becoming victims and infecting users worldwide.  


This kind of complex ad security protection is a service not typically available in any ad verification solution. However, with the GeoEdge Security Lab, it is one of our specialties. Click here for more information about our ad security & verification solutions that protect publishers, exchanges, and platforms from malvertising attacks. 
 

Please reload

Please reload

Browse Posts By Tags
Popular Posts
Please reload