Malicious ads target Match.com

Users of the dating site Match.com are being targeted by malware and ransomware, security experts have warned on Friday.

According to security firm Malwarebytes, the attack is run through ad networks and is aimed at Match.com's UK users. Hackers are using Google shortened URLs that ultimately lead, through a series of redirections, to sites hosting the Angler exploit kit.

The ultimate goal of the hack is to infect users with CryptoWall ransomware and the Bedep ad fraud Trojan. Match.com’s servers themselves have not been breached. Malwarebytes alerted Match.com and the related advertisers, but the malvertising campaign is still ongoing via other routes, the security firm warns.

A spokesperson for Match.com told The Register: “We take the security of our members very seriously indeed. We are currently investigating this alleged issue.”

A few days back, another dating site PlentyOfFish suffered a similar attack. Fake ads have been placed via the site’s ad network (as.360yield.com), on which the Nuclear Exploit Kit is hosted.

The Kit takes advantage of browser vulnerabilities and unpatched Flash flaws to push malware onto the computers of surfers.

Similar to today’s attack, no servers have been breached.

“To clarify, the malware hasn’t breached any of PlentyOfFish’s servers, so all user information is safe at this point,” Jérôme Segura, senior security researcher at Malwarebytes, explains. “As mentioned, it’s just the ad network being used by the site, which is serving visitors the exploit and, by association, any malware.”

Match.com has 27 million monthly active users worldwide, while PlentyOfFish attracts over 3 million users daily among a user base of 90 million.

Industry reaction

Adam Winn, senior manager, OPSWAT:

"The most vulnerable users are those who do not block ads, and have Flash set to autoplay. A vulnerability like this can strike anyway, no matter how safe their browsing habits or how well-patched their software is. Protection can be achieved with two simple techniques: Click to Play, and Ad Blocking. This combination of techniques is nearly bullet-proof against malvertising.

1) Click to Play: Set your browser to use Click to Play, which means no Flash/Java/Silverlight/etc. can launch unless the user explicitly requests it.
2) Ad blocking: While somewhat controversial, ad blocking is nonetheless an extremely effective way that users can protect themselves from malvertising. There are many competing alternatives for ad blocking, yet AdBlock remains the most popular.

"Any average user can configure these two items in less than an hour, and rest assured that they will be nearly invulnerable to malvertising and many Flash/Java/Silverlight exploits in general."

Gavin Reid, VP of threat intelligence, Lancope:

"It is important to not confuse the attack at Match with full site compromises like the recent hack of Ashley Madison. The information on this attack shows a much different issue of malvertising (ads that contain links to malware) being viewed on their website.

"Malverstising has plagued online websites, with almost all of the top 100 sites having hosted them at some time."

Simon Crosby, CTO and co-founder, Bromium:

"If you use any online services whose data, if stolen and made public, could be used against you, then edit your profile now to include false information and a fake email address, or an alternative, randomised, non work email address from an online provider."

UPDATE: Match.com have issued the following updated statement: “We take the security of our members very seriously. Earlier today we took the precautionary measure of temporarily suspending advertising on our UK site whilst we investigated a potential malware issue. Our security experts were able to identify and isolate the affected adverts, this does not represent a breach of our site or our users’ data.

“To date we have not received any reports from our users that they have been affected by these adverts. Nonetheless, we advise all users to protect themselves from this type of cyber-threat by updating their antivirus / anti malware software.”