Inside an Attack on Popular Broadband Analysis Site SpeedTest.Net

SpeedTest.net, a free service that tests the performance of Broadband connections, was compromised and made to serve malware, according to security vendor Invincea.

The situation has since been cleaned up. Details and pictures can be found here on Invincea’s blog.

“The exploit analysis shows that potentially a large number of users were exposed to a Java-based exploit temporarily hosted by speedtest.net,” according to Invincea. “Indicators show the exploit implemented by injected Javascript and used the “g01pack” exploit kit likely compromised speedtest.net as part of a malvertising campaign.”

The exploit used a number of tactics and techniques to evade detection while exploiting the Java software plug-in, the company stated in a blog post. In addition, Invincea discovered this particular attack campaign utilized “the lesser-known” g01pack exploit kit, which is known to typically drive traffic to a landing page via malvertising where victims would be served with rogue antivirus.

“Some additional online research indicates that speedtest.net has been compromised several times in the past through vulnerabilities in the OpenX advertising plugin in order to inject malicious Javascript redirecting users to malware,” according to Invincea. “We can’t confirm at this time that this advertising plugin was used or exploited for this attack.”

The Java exploit puts this incident in line with other recent attacks targeting Java vulnerabilities, including high-profile incidents such as the ‘Red October’ cyber-espionage campaign publicized earlier this month by Kaspersky Lab. In response to criticism, Oracle recently pledged to do more outreach to the Java user community regarding security concerns.

The attack is another example of how hackers are utilizing legitimate sites to trap unsuspecting users.

In Cisco Systems’ 2013 Annual Security report, researchers found that online shopping sites are 21 times as likely—and search engines 27 times as likely—to serve malicious content as counterfeit software sites. Along the same lines, online advertisements are 182 times as likely to deliver malicious content as pornography sites.

The results of the report confirmed that “users aren’t stupid,” Mary Landesman, senior security researcher at Cisco, told SecurityWeek’s Fahmida Rashid.

There is an overwhelming perception that people get compromised for “going to dumb sites,” Landesman said. “The Web is extremely complex and people are making mistakes, she said.