With the fallout from the Ashley Madison hack still ongoing, we have now learned that the world's leading online dating service Match.com has been putting its customers at risk by serving up malware through malicious ads placed on its website.
Security researchers discovered that by paying just 36 cents, operators of the malware campaign were able to place malicious ads on the company's website. If a visitor clicked on one of these ads, they would be led through a series of links to a site that would check if the browser being used had any one of a number of flaws. If it discovered one, then malware or ransomware would be silently downloaded onto a victim's PC without their knowledge.
The ads were piped to Match.com's U.K. website from a third-party ad agency and upon discovering the malvertising campaign, the dating service briefly suspended ads on its website. There was no suggestion that any customer data was ever put at risk as was the case in the attack on affairs website Ashley Madison.
Jérôme Segura from Malwarebytes, who uncovered the campaign, said it was difficult to ascertain how many people may have been affected as the ad agency used by Match.com also sends ads to many other websites. SimilarWeb says that Match.com has over 27 million visitors each month with over 5 million of those based in the U.K.
The malware served up by the campaign included Cryptowall, a piece of ransomware that encrypts all the files on a PC and demands a ransom of up to $500 to unlock them again.
Taking Security Seriously
A spokesperson for Match.com said: “We take the security of our members very seriously. Earlier today we took the precautionary measure of temporarily suspending advertising on our U.K. site whilst we investigated a potential malware issue. Our security experts were able to identify and isolate the affected adverts, this does not represent a breach of our site or our users’ data."
Gavin Reid, vice president of threat intelligence at security company Lancope, said it was important to distinguish this attack from that on Ashley Madison: "It is important to not confuse the attack at Match with full site compromises like the recent hack of Ashley Madison. The information on this attack shows a much different issue of malvertising (ads that contain links to malware) being viewed on their website. Malvertising has plagued online websites, with almost all of the top 100 sites having hosted them at some time."
With malvertising on the rise, there are some simple steps you can take to prevent your system being infected, says Tim Erlin from security company Tripwire: "The best protection from this kind of attack is to ensure your computer is up to date with security patches. Malware often exploits a known vulnerability for which patches exist, but haven’t been applied.”