Malvertising scheme uses Flash exploit to profit from World Cup buzz

Share this article:
The malicious package is being sold on underground markets for $3,800 a year.
The malvertising scheme targeted site visitors running vulnerable versions of Adobe Flash Player.

Researchers discovered a malvertising campaign targeting a popular sports news site in Brazil – a sure sign that scammers are poised to profit from online interest in the upcoming World Cup tournament.

On Tuesday, Trustwave's research team SpiderLabs blogged about the scheme, which leveraged an Adobe Flash Player exploit to target users. According to the firm, the website for the popular newspaper Lance! (lancenet.com.br) was found hosting the malicious ad throughout May.

Fraudulent and malicious advertising, known as malvertising, is often carried out by scammers using bogus identities, web hosting accounts and email addresses to trick companies. In this case, the malvertising scheme targeted site visitors running versions of Flash that were impacted by a buffer overflow vulnerability (CVE-2014-0515).

The ad in question was redirecting users to ib.adnxs.com, a domain linked to previous malvertising campaigns, the blog post said.

The bug was patched in late April by Adobe, but hackers used new methods to exploit the vulnerability, instead of previously reported techniques, Trustwave found.

In a Thursday interview, John Miller, security research manager at Trustwave, told SCMagazine.com that attackers previously carried out attacks by corrupting the sound object's vftable pointer in the popular media player. Scammers behind this campaign, however, are corrupting a FileReference object, Miller explained.

“...That allows them to access additional portions of memory where the malicious code exists,” Miller said, adding that the tweaked exploit could help attackers bypass some detection tools.

"It also demonstrates that this isn't someone copying and pasting a known attack code – they have the ability to make those modifications. This is not just a script kiddie; it's an attacker of higher sophistication," Miller said.

Trustwave has notified the impacted site's operators about the threat, and they have since taken action to remove the malicious ad, Miller said. The security firm is still in the disclosure process with the affected ad network, however.

“With increases in traffic to certain websites, you can bet that malicious individuals will look to take advantage,” Trustwave's blog post said, adding that traffic easily translates to money for attackers looking to cash in on buzzworthy events like the FIFA World Cup tournament, scheduled to kick off in Brazil next Thursday.

“This [scam] shows that sites – even [ones] that you don't think are malicious, or that you use on a regular basis – can suddenly become malicious,” Miller said of the malvertising tactic.

Share this article:

Sign up to our newsletters

More in News

Medical transcription provider settles data security charges

GMR Transcription Services in California agreed to settle FTC charges related to its security practices.

Researcher hacks network connected devices in own home

Researcher hacks network connected devices in own home

In his own home, a researcher was able to hack various network connected devices that are not computers and mobile phones.

Study: Most higher ed malware infections attributed to 'Flashback'

Study: Most higher ed malware infections attributed to ...

Flashback caused a stir in 2012 when some 650,000 Macs were infected with the malware.