A site for classified advertising popular in the UK, Australia and South Africa called Gumtree was hit with a malvertising attack, according to Malwarebytes Labs.
According to Malwarebytes researchers, miscreants penetrated the network of an Australian legal firm and put up a phony version of its site that appeared legitimate, but actually contained a fraudulent subdomain off its main server. Gumtree, a subsidiary of eBay, receives 48 million monthly visits.
The criminals cut and pasted the firm’s logo and some text from the legitimate site and fashioned what appeared to be a typical ad banner. They then contacted ad networks to inquire about advertising. Anyone clicking on the bogus, malvertising-laden ad would be vulnerable to receiving the Angler exploit kit, which typically injects different payloads, including ransomware or banking trojans.
Researchers detected a fingerprinting approach – that had been observed previously – capable of avoiding security tools or network packet captures.