This article is more than 1 year old
Anti-adblocker firm PageFair's users hit by fake Flash update
Company apologises and offers proper post mortem
Ad-blocker blocker PageFair has announced that it was hacked over Halloween, exposing those visiting sites running its free analytics service (allowing those sites to see how many of their visitors were using ad-blockers, perhaps to prevent being served malware by a third-party) to an executable masquerading as an Adobe Flash update.
"If you are a publisher using our free analytics service, you have good reason to be very angry and disappointed with us right now" stated PageFair CEO Sean Blanchfield in the company's impressively explicit and ongoing post mortem.
Malign spirits held sway over PageFair's analytics service for 83 minutes on the night of Halloween, specifically between 23:52 on 31 October and 01:15 on 1 November, according to the company. Ironically, the malware leveraged the company's account on a Content Distribution Network (CDN) service – a booming attack vector, as we described earlier this year.
PageFair stated that attackers had sucessfully executed a spear-phishing attack against "a key email acccount" from whence a rapid password reset allowed them to hijack the company's CDN account.
"The attackers had a plan," Blanchfield told The Register. Once they had access to the email account, they modified the analytics' JavaScript tag to some JavaScript of their own.
This intentionally harmful javascript prompted visitors to install a fake Adobe Flash update, which appears to be a botnet trojan that targets Windows (more information on it is now available here).
501 publishers served up the evil executable during the 83 minute period it was live. PageFair stated that "most of these publishers are small, with 60 per cent having less than one million page views per month, and 90 per cent having less than ten million page views per month."
The Register understands that the issue also affected PageFair's 10m+ page views per month clients.
Chris Boyd, malware intelligence analyst at Malwarebytes, told The Register that these attacks most usually came via rogue adverts, and it was "hugely ironic to see Malware instead being served by a compromised analytics platform which is itself based around the notion of adblock measurements and 'non intrusive ads' for page visitors running ad blockers."
Blanchfield told us it was "kind of different" from typical malvertising maliciousness, but "web pages increasingly use third party services to enhance functionality, and this kind of attack is happening more and more."
The CEO suggested that the ability to authenticate scripts in browesers was something the industry needed to look at, and stated that the company was full of security enthusiasts and would be eager to collaborate with browser developers and CDN vendors to attempt to establish best practices regarding this.