Malvertising scheme uses Flash exploit to profit from World Cup buzz

Share this article:
The malicious package is being sold on underground markets for $3,800 a year.
The malvertising scheme targeted site visitors running vulnerable versions of Adobe Flash Player.

Researchers discovered a malvertising campaign targeting a popular sports news site in Brazil – a sure sign that scammers are poised to profit from online interest in the upcoming World Cup tournament.

On Tuesday, Trustwave's research team SpiderLabs blogged about the scheme, which leveraged an Adobe Flash Player exploit to target users. According to the firm, the website for the popular newspaper Lance! ( was found hosting the malicious ad throughout May.

Fraudulent and malicious advertising, known as malvertising, is often carried out by scammers using bogus identities, web hosting accounts and email addresses to trick companies. In this case, the malvertising scheme targeted site visitors running versions of Flash that were impacted by a buffer overflow vulnerability (CVE-2014-0515).

The ad in question was redirecting users to, a domain linked to previous malvertising campaigns, the blog post said.

The bug was patched in late April by Adobe, but hackers used new methods to exploit the vulnerability, instead of previously reported techniques, Trustwave found.

In a Thursday interview, John Miller, security research manager at Trustwave, told that attackers previously carried out attacks by corrupting the sound object's vftable pointer in the popular media player. Scammers behind this campaign, however, are corrupting a FileReference object, Miller explained.

“...That allows them to access additional portions of memory where the malicious code exists,” Miller said, adding that the tweaked exploit could help attackers bypass some detection tools.

"It also demonstrates that this isn't someone copying and pasting a known attack code – they have the ability to make those modifications. This is not just a script kiddie; it's an attacker of higher sophistication," Miller said.

Trustwave has notified the impacted site's operators about the threat, and they have since taken action to remove the malicious ad, Miller said. The security firm is still in the disclosure process with the affected ad network, however.

“With increases in traffic to certain websites, you can bet that malicious individuals will look to take advantage,” Trustwave's blog post said, adding that traffic easily translates to money for attackers looking to cash in on buzzworthy events like the FIFA World Cup tournament, scheduled to kick off in Brazil next Thursday.

“This [scam] shows that sites – even [ones] that you don't think are malicious, or that you use on a regular basis – can suddenly become malicious,” Miller said of the malvertising tactic.

Share this article:

Sign up to our newsletters

More in News

Firefox 32 feature could cut undetected malware downloads 'in half'

Mozilla plans to introduce a feature in Firefox 32 that, based on preliminary testing, could cut the amount of undetected malware downloads in half.

EFF asks court to find NSA internet spying a violation of Fourth Amendment

EFF asks court to find NSA internet spying ...

Complete with a colorful graphic, the EFF showed a federal court how the NSA essentially runs a digital dragnet that can pick up innocent Americans.

Study: Asian Android users at higher risk of malware exposure

Cheetah Mobile's new study showed that Asian Android users have a two to three times greater risk of downloading malware onto their devices.