Anti ad-block firm PageFair becomes cyberattack victim, distributes malware

Over 500 websites using the company's analytics software were compromised over the weekend and spewed out Trojans in order to infect Windows machines.

ratsym.jpg
Symantec
Over 500 websites were compromised over the weekend due to analytics software provided to publishers by PageFair.

Mobile ad-blocking is a hot topic. Browser add-ons and mobile apps are slowly rising in popularity with consumers looking for a cleaner Web experience, but as a result, content publishers relying on advertising models which pay out for eyeballs and clicks are steadily losing revenue.

Many publishers use third-parties to provide ads -- which, unfortunately, can also sometimes allow malware to slip through the net and compromise websites and visitor systems. This technique, known as malvertising, has struck high-profile targets such as Yahoo and UK newspaper The Daily Mail.

PageFair is an anti-adblock firm which provides analytics to publishers who wish to see how much revenue they are losing due to ad-blocking software impacting these networks. Perhaps ironically, the company's free analytics mimicked ad networks which distribute malware over the weekend -- through its use by a cybercriminal to propel Trojans through websites using the software and towards visitor devices.

"If you are a publisher using our free analytics service, you have good reason to be very angry and disappointed with us right now," PageFair CEO Sean Blanchfield said.

On the company's blog, the firm admitted it was a target of a cyberattack over the weekend. A successful phishing campaign secured access to a key email account, which allowed the hacker to perform a password reset on PageFair's account on a Content Distribution Network (CDN) service service used to distribute the company's analytics software.

The CDN settings were then modified to send out not PageFair's work, but instead malicious Javascript. Masquerading as an Adobe Flash update, the malware targeted Windows machines in an attempt to infect systems and join them to a Trojan-based botnet.

According to F-Secure, the malicious file sent via PageFair's software, adobe_flashplayer_7.exe, served a remote access Trojan (RAT) called Nanocore, a Trojan available for only $25 which can grant an attacker full control of a victim's system.

"Although many virus scanners will have prevented this file from executing, others may not have been able to correctly detect it," PageFair admitted.

In a set of updates, the company said the cyberattack was resolved on Monday. PageFair estimates that 2.3 percent of visitors to 501 affected publishing websites were affected during the attack and may have become infected with malware.

Luckily for publishers, the attack was spotted within five minutes -- but it took a further 83 minutes to stem the attack and resolve the issue. The firm says there is no evidence to suggest any core PageFair servers or databases have been compromised, and so publisher account information, passwords and personal data should be safe.

In an attempt to stop further attacks, the company has performed a full reset of user accounts and an audit is being performed to improve security practices.

Read on: Top picks