We detected a malvertising attack on popular dating site PlentyOfFish (POF) which draws over 3 million daily users.
The attack chain uses the Google URL shortener goo.gl as intermediary to load the Nuclear exploit kit. While we see this mechanism quite frequently within our telemetry, it is particularly difficult to reproduce it in a lab environment.
- www.pof.com
- mediaservices-d.openxenterprise.com
- newimageschool.com/adframe/banners/serv.php?uid={redacted}
- ad.360yield.com
- frexw.co.uk
- gp-[a-z]\.info
- goo.gl/zSQxk4
- ducumsacfire.caseyscollectables.com
The ad network involved in the malvertising campaign (ad.360yield.com) was familiar and it turns out that we had observed it in a rare attack captured by our honeypots just one day prior.
As you can see in the picture below, the redirection chain goes through multiple hoops before reach its final destination, the exploit kit landing page.
The sample collected in this particular instance was the Tinba banking Trojan. Given that the time frame of both attacks and that the ad network involved is the same, chances are high that pof[dot]com dropped that Trojan as well.
Malwarebytes Anti-Exploit users were protected against this attack.
We have contacted PlentyOfFish to make them aware of this issue and will update this post if we hear back.
COMMENTS
Pingback: Dating Site PlentyOfFish Contains Hidden Maleware Bite | Lifehacker Australia()
Pingback: Plenty of Problems as another dating site attracts bad boys (or girls) | SecurityWatch()
Pingback: Plenty of Problems as another dating site attracts bad boys (or girls) | Dennis Nadeau Complaint Blog()
Pingback: Plenty of Fish users hooked, lined and sinkered - Inquirer | Berita Bola dan Lowongan Kerja()
Pingback: Telstra Media’s Homepage Pushes Malvertising | Malwarebytes Unpacked()
Pingback: Plenty of fish, and exploits, on dating website | Игры онлайн()
Pingback: Plenty of fish, and exploits too, on dating website | Templar Shield()
Pingback: Plenty of fish, and exploits too, on dating website | Virus / malware / hacking / security news()
Pingback: Plenty Of Fish Users Compromised Via Infected Ads | Clemons XYZ's()
Pingback: ste williams – Dating gets even more dangerous after PlentyOfFish suffers tainted ads()
Pingback: Plenty of fish, and exploits too, on dating website - Brisbane Computer Repairs()
Pingback: Plenty of fish, and exploits too, on dating website | IP Pings()
Pingback: Dating gets even more dangerous after PlentyOfFish suffers tainted ads | TechDiem.com()
Pingback: Computer Networking CrackerJack()
Pingback: Dating gets even more dangerous after PlentyOfFish suffers tainted ads | The Cyber Law Library()
Pingback: Plenty of Fish Hooks Up Users with Malware - Tom's Guide | Berita Bola dan Lowongan Kerja()
Pingback: Dating Site PlentyofFish Hit With Malvertising Wave | Forensic News()
Pingback: Ad network hooks up dating-site users with malware - Fox News | Berita Bola dan Lowongan Kerja()
Pingback: Ad network hooks up dating-site users with malware | The World 247()
Pingback: Another dating site attacked by hackers - Created by admin - In category: Technology - Tagged with: - The News On Time - Minute by minutes following worldwide news…()
Pingback: Ad network hooks up dating-site users with malware | TimeOutPk()
Pingback: Dating Site Plenty Of Fish Injected With Malware | Techaeris()
Pingback: Ad network hooks up dating-site users with malware | Latest News Global()
Pingback: Advertising malware rates have tripled in the last year, according to report » Rand0m Stuff()
Pingback: Advertising malware rates have tripled in the last year, according to report - How to do everything!()
Pingback: Advertising malware rates have tripled in the last year, according to report | Does Everybody Dream?()
Pingback: Ad network hooks up dating-site users with malware - Press Today()
Pingback: Malvertising Found on Dating Site Match[dot]com | Malwarebytes Unpacked()
Pingback: Match com, millions online daters at risk due to a malvertising campaign - Systerity()
Pingback: Match com, millions online daters at risk due to a malvertising campaign | HacktheW0r1d()
Pingback: Match com, millions online daters at risk due to a malvertising campaign | Tailor Technology()
Pingback: Malvertising Found on Dating Site Matchdotcom - SecuritySlagsSecuritySlags()
Pingback: Large Malvertising Campaign Goes (Almost) Undetected | Malwarebytes Unpacked()
Pingback: Plenty of fish, and exploits too, on dating website | P2P Devs()
Pingback: Malvertising hits popular dating site. Disconnect users were protected. - AdTrustMedia Blog()
Pingback: Malvertising Headache Swells to Migraine Proportions - AdTrustMedia Blog()
Pingback: Large Malvertising Campaign Goes (Almost) Undetected - AdTrustMedia Blog()