Malvertising Found on Dating Site Match[dot]com
News | Threats

Malvertising Found on Dating Site Match[dot]com

Posted: September 3, 2015 by Jérôme Segura

In an attack similar to the one that happened last month on PlentyOfFish, the UK version of online dating site Match.com was caught serving malvertising.

Both companies are actually related since the Match Group bought out POF.com last summer. This latest malvertising incident is the work of the same gang using Google shortened URLs leading to the Angler exploit kit.

Infection flow:

  • Initial URL: uk.match.com/search/advanced_search.php
  • Malvertising: tags.mathtag.com/notify/js?exch={redacted}&price=0.361
  • Malvertising: newimageschool.com/adframe/banners/serv.php?uid=215&bid=14&t=image&w=728&h=90
  • Malicious Redirector: goo.gl/QU2x0w
  • Exploit Kit (Angler): med.chiro582help.com/carry.shtm?{redacted}
math

The malvertising goes through a Goo.gl shortened URL (already blacklisted) that loads the Angler exploit kit:

google

Angler EK is known to serve the Bedep ad fraud Trojan as well as CryptoWall ransomware.

The cost per thousand impressions (CPM) for the booby trapped ad was only 36 cents, which is nothing compared to how much infected computers can bring in terms of revenues. For instance, CryptoWall demands $500 per victim.

We alerted Match.com and the related advertisers but the malvertising campaign is still ongoing via other routes.

Malwarebytes Anti-Exploit users were protected against this attack thanks to our proactive exploit mitigation techniques.

Update: A spokesperson for Match.com UK said:

“We take the security of our members very seriously. Earlier today we took the precautionary measure of temporarily suspending advertising on our UK site whilst we investigated a potential malware issue. Our security experts were able to identify and isolate the affected adverts, this does not represent a breach of our site or our users’ data.

“To date we have not received any reports from our users that they have been affected by these adverts. Nonetheless, we advise all users to protect themselves from this type of cyber-threat by updating their antivirus / anti malware software.”

Source: SCMagazineUK

RELATED ARTICLES

TikTok logo
News | Personal

TikTok comes one step closer to a US ban

April 24, 2024 - The US Senate has approved a bill that will ban TikTok, unless it finds a new owner, bringing it one step closer to being signed into law.

CONTINUE READING 0 Comments
UnitedHealth Group logo
News | Personal

“Substantial proportion” of Americans may have had health and personal data stolen in Change Healthcare breach

April 23, 2024 - UnitedHealth has made an announcement about the stolen data in the ransomware attack on subsidiary Change Healthcare.

CONTINUE READING 0 Comments
The Lock and Code logo, which includes the Malwarebytes Labs insignia ensconced in a pair of headphones
Podcast

Picking fights and gaining rights, with Justin Brookman: Lock and Code S05E09

April 22, 2024 - This week on the Lock and Code podcast, we speak with Justin Brookman about past consumer wins in the tech world, and how to avoid despair.

CONTINUE READING 0 Comments
Discord logo
News | Privacy

Billions of scraped Discord messages up for sale

April 22, 2024 - An internet scraping platform is offering access to a database filled with over four billion Discord messages and combined user profiles.

CONTINUE READING 0 Comments
week in security
News

A week in security (April 15 – April 21)

April 22, 2024 - A list of topics we covered in the week of April 15 to April 21 of 2024

CONTINUE READING 0 Comments

ABOUT THE AUTHOR

Jérôme Segura

Jérôme Segura

Principal Threat Researcher

Contributors icon

Contributors

Threat Center icon

Threat Center

Podcasts icon

Podcast

Glossary icon

Glossary

Scams icon

Scams