Security Experts:

Malware Served via Anti-Adblocking Service PageFair

Hackers breached the systems of anti-adblocking solutions provider PageFair and used the access to deliver malware via the publishers that rely on the company’s services.

PageFair helps web publishers measure and recover revenue lost due to ad blockers, which have become increasingly problematic for the advertising industry. The company says it serves more than 3,000 websites.

Malicious actors penetrated the company’s systems after gaining access to a key email account via a spear phishing attack. Once they obtained access, the attackers hijacked PageFair’s account on the content delivery network MaxCDN and modified settings to replace the company’s legitimate analytics JavaScript tag with a piece of malware disguised as an Adobe Flash Player update.

PageFair admitted that it had not activated two-factor authentication (2FA) on its MaxCDN account – the security feature was only activated after the incident was addressed.

According to researchers at F-Secure, the threat was a remote administration tool (RAT) known as NanoCore. VirusTotal shows that major antiviruses detected the malware at the time of the attack, and users would have had to manually run the malicious files in order to get infected.

PageFair said it detected the breach within minutes, but it took the company nearly an hour and a half to completely neutralize the attack. During this period, the malware made it to the websites of 501 publishers, 40 percent of which have more than one million page views per month.

In an update provided on Monday evening, PageFair said just 2.3 percent of the affected websites’ visitors were at risk of getting infected.

“There is no evidence or reason to believe that any core pagefair servers or databases were compromised. No publisher account information, passwords or personal information has been leaked,” Sean Blanchfield, CEO of PageFair, wrote in a post-mortem of the attack.

Related Reading: 13 Million Passwords Leaked From Free Hosting Service

view counter
Eduard Kovacs (@EduardKovacs) is a contributing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.