PageFair Hack Serves Up Fake Flash Update to 500 Sites

500 sites that use the free analytics service PageFair may have been compromised over the weekend.

More than 500 users of a free analytics service may have had their websites compromised over the weekend after a hacker was able to execute malicious JavaScript through the service.

On Halloween night, an attacker was able to hijack a “key email account” at PageFair, an ad blocking analytics service. From there the attacker was able to trigger a password reset and take control of the Content Distribution Network (CDN) the company uses, MaxCDN, to serve up JavaScript on sites. If a user happened to navigate to a site which that was compromised, they may have been prompted to download a bogus Adobe Flash update, the company warns.

PageFair, which is based in Ireland and lets webmasters measure how many of their visitors use ad blockers, was candid when it described the attack in a blog post on Sunday, and again in a series of updates on Monday.

According to Sean Blanchfield, PageFair’s CEO, the attackers had access to its systems for more than an hour, but estimates that a small number, 2.3 percent of visitors, Windows users, were ultimately affected by the hack.

Blanchfield lays out all the specifics of the hack in the post, claiming the company reconfigured its DNS after 33 minutes, to disrupt the attack, and that this “would have prevented many users from ever connecting to the CDN during the attack period.”

While PageFair’s metrics indicate that 501 sites that use its service were impacted by the hack, many of the sites were small, “with 60% having less than one million page views per month, and 90% having less than 10 million page views per month.”

To calm client fears, Blanchfield claims that according to statistics from its CDN, only 25 percent of requests to hackers’ IP addresses succeeded while the majority of requests returned 504 server errors.

Blanchfield notes that victims would have also had to agree to download the malware, which has been identified as the Nanocore Trojan, if they noticed it at all.

For the safety of its users PageFair went ahead and reset all of its employees passwords. It’s also stressing that it doesn’t believe any of its other servers or databases were accessed; if they were, it claims it doesn’t store any of its customers’ personally identifiable information.

PageFair claims its received reports that the malware “causes unexpected behaviors” in Word, Excel, and Outlook, which would make sense because Nanocore, a lesser known remote administration tool (RAT) has been spotted this year in attacks against energy companies in Asia and the Middle East, often leveraging AutoIt, freeware in Windows.

There’s a chance the attack could have been mitigated if PageFair been using two factor authentication on its CDN. In a response to a commenter on its blogpost, Blanchfield admits that it hadn’t activated 2FA on MaxCDN, but that it did protect the account with a “strong, unique and securely stored password.”

Since the attacker had access to the password reset email address, that password was quickly made irrelevant according to Blanchfield, who notes the company turned on 2FA following the hack.

“We have reviewed all other 3rd party systems we have in use to: (a) activate 2FA wherever it is possible, and (b) reset passwords for good measure. We will also review where password reset mails are routed,” Blanchfield told the commenter.

Suggested articles

Discussion

  • Robert Gibb on

    Hey Chris. Rob here from MaxCDN, the content delivery network used by PageFair. Thanks for covering this story. It sheds a lot of light on how businesses and the general population often forget about prioritizing account security. In case any MaxCDN users come across this post, I wanted to share this article of ours that covers steps for preventing people with malicious intent from access your MaxCDN account. A lot of these steps can apply to other services as well. This article was written in response to what happened with PageFair.

Subscribe to our newsletter, Threatpost Today!

Get the latest breaking news delivered daily to your inbox.