More than 500 users of a free analytics service may have had their websites compromised over the weekend after a hacker was able to execute malicious JavaScript through the service.
On Halloween night, an attacker was able to hijack a “key email account” at PageFair, an ad blocking analytics service. From there the attacker was able to trigger a password reset and take control of the Content Distribution Network (CDN) the company uses, MaxCDN, to serve up JavaScript on sites. If a user happened to navigate to a site which that was compromised, they may have been prompted to download a bogus Adobe Flash update, the company warns.
PageFair, which is based in Ireland and lets webmasters measure how many of their visitors use ad blockers, was candid when it described the attack in a blog post on Sunday, and again in a series of updates on Monday.
According to Sean Blanchfield, PageFair’s CEO, the attackers had access to its systems for more than an hour, but estimates that a small number, 2.3 percent of visitors, Windows users, were ultimately affected by the hack.
Blanchfield lays out all the specifics of the hack in the post, claiming the company reconfigured its DNS after 33 minutes, to disrupt the attack, and that this “would have prevented many users from ever connecting to the CDN during the attack period.”
While PageFair’s metrics indicate that 501 sites that use its service were impacted by the hack, many of the sites were small, “with 60% having less than one million page views per month, and 90% having less than 10 million page views per month.”
To calm client fears, Blanchfield claims that according to statistics from its CDN, only 25 percent of requests to hackers’ IP addresses succeeded while the majority of requests returned 504 server errors.
Blanchfield notes that victims would have also had to agree to download the malware, which has been identified as the Nanocore Trojan, if they noticed it at all.
For the safety of its users PageFair went ahead and reset all of its employees passwords. It’s also stressing that it doesn’t believe any of its other servers or databases were accessed; if they were, it claims it doesn’t store any of its customers’ personally identifiable information.
PageFair claims its received reports that the malware “causes unexpected behaviors” in Word, Excel, and Outlook, which would make sense because Nanocore, a lesser known remote administration tool (RAT) has been spotted this year in attacks against energy companies in Asia and the Middle East, often leveraging AutoIt, freeware in Windows.
There’s a chance the attack could have been mitigated if PageFair been using two factor authentication on its CDN. In a response to a commenter on its blogpost, Blanchfield admits that it hadn’t activated 2FA on MaxCDN, but that it did protect the account with a “strong, unique and securely stored password.”
Since the attacker had access to the password reset email address, that password was quickly made irrelevant according to Blanchfield, who notes the company turned on 2FA following the hack.
“We have reviewed all other 3rd party systems we have in use to: (a) activate 2FA wherever it is possible, and (b) reset passwords for good measure. We will also review where password reset mails are routed,” Blanchfield told the commenter.