Match.com Suspends UK Ads After Malware AttacksSecond UK Dating Site In Recent Weeks Serves Up Malvertising
As if trying to find romance wasn't difficult enough, lately some online dating aficionados have had to contend with yet another challenge: malware.
See Also: Autonomous Response: Threat Report
The latest online dating site to be targeted by so-called "malvertising" attacks is the U.K. version of the popular Match.com (see Why Malvertising Attacks Won't Stop).
In a Sept. 3 blog post, JÃ©rÃ´me Segura, a senior security researcher with security firm Malwarebytes, warned that Match.com's advertising channel was being used to host the Angler Exploit Kit, a crimeware toolkit designed to exploit PCs by targeting unpatched flaws on those systems (see Hacking Team Zero-Day Attack Hits Flash). Segura said that he had alerted Match.com to the attacks.
The malvertising attack launched via Match.com follows attackers in August launching a similar attack via another U.K. dating site, Plenty of Fish, which reportedly sees visits from 3 million users per day and claims to be the world's largest dating website and app. Match.com bought Plenty of Fish in July, and Segura says the two malvertising attacks appear to have been launched by the same group of attackers using many of the same techniques.
"This latest malvertising incident is the work of the same gang using Google shortened URLs leading to the Angler exploit kit," he says. The Plenty of Fish malvertising attack, he adds, involved the otherwise legitimate ad.360yield.com network, and was serving the Tinba banking Trojan.
Match.com confirmed the malvertising attacks and temporarily deactivated all advertising on its U.K. site - which is provided by third-party advertising networks - until the problem could be resolved.
"We take the security of our members very seriously. Yesterday we took the precautionary measure of temporarily suspending advertising on our U.K. site whilst we investigated a potential malware issue," a spokeswoman tells Information Security Media Group. "Our security experts were able to identify and isolate the affected adverts; this does not represent a breach of our site or our users' data."
Malvertising - for malicious advertising - refers to attackers sneaking attack code into legitimate advertising networks. These attacks can attempt to directly infect viewers' devices with malware, or else redirect them to sites that launch drive-by attacks (see Ransomware Attacks Subvert Ad Networks).
Although Match.com says that it has no reports that its users were affected by the Angler attacks, it's warning users to beware. "We advise all users to protect themselves from this type of cyber-threat by updating their anti-virus/anti-malware software," the spokeswoman says.
Segura warns that Angler attacks of late have been serving the Bedep ad-fraud malware, as well as CryptoWall ransomware, which can lock PCs, encrypt their contents and demand a ransom to unlock the system (see FBI Alert: $18 Million in Ransomware Losses).
The malvertising attack against Match.com follows the high-profile hack of pro-infidelity dating site Ashley Madison, after which the attackers leaked vast quantities of data about the site's more than 30 million members (see No Surprise: Ashley Madison Breach Triggers Lawsuits). But security experts do not believe that the two attacks are connected.
"Dating websites have historically been popular targets for financially motivated cybercriminals," threat-intelligence firm iSight Partners says in a research note. "Despite media comparisons to the Ashley Madison breach, we do not believe Match.com's ad network exploitation was in any way influenced by that incident."
Segura says the economics of malvertising campaigns work in attackers' favor. "The cost per thousand impressions (CPM)" - meaning every time that 1,000 systems are served an ad - "for the booby-trapped ad was only 36 cents, which is nothing compared to how much infected computers can bring in terms of revenues," he says. "For instance, CryptoWall demands $500 per victim."
So it's no surprise that many security firms continue to report that ransomware campaigns are ubiquitous. "The prevalence of ransomware has increased dramatically in the last two years and is frequently distributed via spam, phishing messages, botnets, exploit kits and malvertising," according to iSight Partners. "In this case, attackers used a legitimate site to spread the malware, circumventing the opportunity for discerning victims to avoid malicious links or attachments.