PageFair analytics hacked and used to distribute malware on Halloween

First, the trick: on Halloween night, PageFair got hit by a Trojan masquerading as an Adobe Flash update.

Then, the treat: the company managed to eschew non-apology mumbo-jumbo to issue a detailed, satisfyingly remorseful apology.

Beginning late Sunday night, the day after the company discovered the attack, PageFair CEO Sean Blanchfield published a series of updated posts about the 83-minute long attack, which he said affected 501 publishers of the company’s free analytics service.

PageFair’s analytics enable online publishers to see how many of their visitors are blocking ads. It also offers an advertising system that displays “adblock-friendly” ads to adblockers.

PageFair’s mea culpa as of 21:30 GMT Sunday:

If you are a publisher using our free analytics service, you have good reason to be very angry and disappointed with us right now.

For 83 minutes last night, the PageFair analytics service was compromised by hackers, who succeeded in getting malicious javascript to execute on websites via our service, which prompted some visitors to these websites to download an executable file.

I am very sorry that this occurred and would like to assure you that it is no longer happening.

The malware (detected by Sophos as Mal/MSIL-PL) turned out to be a Trojan calling itself adobe_flashplayer_7.exe.

The attack started with a successful spearphishing attack against PageFair that gave the attackers access to a key email account.

They used that email account to reset the password on PageFair’s CDN (Content Delivery Network) and replaced PageFair’s analytics code with their own malicious JavaScript.

A CDN is a distributed website that mirrors content around the world to lots of different servers. PageFair customers embed code hosted on the CDN in their web pages.

Changing the code in on the CDN changed the code embedded by PageFair customers, turning them from advertising channels to malware distribution channels.

Users visiting sites that use PageFair’s compromised analytics code were prompted to install a fake Adobe Flash update and anyone who accepted it and wasn’t protected by up to date anti-virus software was at risk.

The company estimates that some 2.3% of visitors to the 501 affected publishers during the 83 minutes of the attack would have been placed at risk of infection, though more than that would have seen an alert dialog purporting to be a Flash update notice.

PageFair directly notified affected publishers and by Monday had completely resolved the breach, the company said.

It’s not looking like any core PageFair servers or databases were compromised.

That means that no publisher account information, passwords or personal information was apparently leaked.

It’s quite common for organisations to include javascript code from 3rd parties in their websites; it’s how things like online advertising, Google Analytics, Facebook Like buttons and Twitter’s Tweet widgets work for example.

Using 3rd party code is useful, easy and convenient (and often the only way to access a service) but it’s also a risk — your site is only as secure as the 3rd party organisations it pulls its code from.

In this instance, that sharing of code allowed a phishing attack against a single vendor to compromise 501 different websites with tens of millions of monthly visitors.

Image of Trick or Treat button courtesy of