Incident Response, TDR, Vulnerability Management

Malvertising scheme uses Flash exploit to profit from World Cup buzz

Researchers discovered a malvertising campaign targeting a popular sports news site in Brazil – a sure sign that scammers are poised to profit from online interest in the upcoming World Cup tournament.

On Tuesday, Trustwave's research team SpiderLabs blogged about the scheme, which leveraged an Adobe Flash Player exploit to target users. According to the firm, the website for the popular newspaper Lance! (lancenet.com.br) was found hosting the malicious ad throughout May.

Fraudulent and malicious advertising, known as malvertising, is often carried out by scammers using bogus identities, web hosting accounts and email addresses to trick companies. In this case, the malvertising scheme targeted site visitors running versions of Flash that were impacted by a buffer overflow vulnerability (CVE-2014-0515).

The ad in question was redirecting users to ib.adnxs.com, a domain linked to previous malvertising campaigns, the blog post said.

The bug was patched in late April by Adobe, but hackers used new methods to exploit the vulnerability, instead of previously reported techniques, Trustwave found.

In a Thursday interview, John Miller, security research manager at Trustwave, told SCMagazine.com that attackers previously carried out attacks by corrupting the sound object's vftable pointer in the popular media player. Scammers behind this campaign, however, are corrupting a FileReference object, Miller explained.

“...That allows them to access additional portions of memory where the malicious code exists,” Miller said, adding that the tweaked exploit could help attackers bypass some detection tools.

"It also demonstrates that this isn't someone copying and pasting a known attack code – they have the ability to make those modifications. This is not just a script kiddie; it's an attacker of higher sophistication," Miller said.

Trustwave has notified the impacted site's operators about the threat, and they have since taken action to remove the malicious ad, Miller said. The security firm is still in the disclosure process with the affected ad network, however.

“With increases in traffic to certain websites, you can bet that malicious individuals will look to take advantage,” Trustwave's blog post said, adding that traffic easily translates to money for attackers looking to cash in on buzzworthy events like the FIFA World Cup tournament, scheduled to kick off in Brazil next Thursday.

“This [scam] shows that sites – even [ones] that you don't think are malicious, or that you use on a regular basis – can suddenly become malicious,” Miller said of the malvertising tactic.

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms and Conditions and Privacy Policy.