Most Ironic Attack Ever Plants Malware On Websites Using PageFair Ad Service

Hackers breach web advertising company using fake Adobe Flash update prompts.

Most Ironic Attack Ever Plants Malware On Websites Using PageFair Ad Service
[Photo: Flickr user Thomas Brownell]

If you visited any of about 500 websites on Saturday, and also downloaded what looked like an update to Adobe Flash, you may have inadvertently installed malware that makes your Windows PC into a zombie computer on a hacker’s botnet. Even if you did visit the sites, you’re probably safe if you didn’t take the bait and install the malware masquerading as an Adobe Flash update. If you have a Mac, Chromebook, or Android, iOS or Linux machine, you are also probably safe, as the malware seems to have focused on Windows. Just the same, you should follow the standard drill of updating and running your antivirus/anti-malware software. (You do have AV, right?)


Regardless of how big the attack is, it’s a brilliant illustration of everything that’s going wrong with web publishing, advertising, and online security. As such, it’s a great teachable moment for everyone who’s online.

The clever hackers took advantage of the current crisis in online advertising—and the rise of programs like AdBlock Plus—by infecting a company called PageFair that tries to help content sites get their ads seen. (The attack started at 11:52 p.m. GMT on October 31, but PageFair first reported it a day later at 11:30 p.m. on November 1.) This security breach isn’t the case of malicious ads infecting site visitors, as sometimes happens. Instead, web publishers who are trying to do the right thing by providing safe, unobtrusive advertising got infected and executed a malicious JavaScript from their own pages. The PageFair breach is just another headache in the string of chronic migraines affecting websites trying to survive billions of dollars in lost revenue due to ad-blocking software.

Fast Company reached out to PageView to find out which of their clients’ sites were affected by the malware attack, and, although they declined to name specific outlets, they informed us via email that of their 3,000 clients, “fewer than 501 publishers [were] affected,” mostly smaller publishers. They added, “It looks like only a small minority of users on those sites were actually affected,” before stating, “we are working on it.”

What’s This All About?

This breach turns the standard Internet-security narrative on its head, leaves out the usual suspects, and highlights both the security and revenue crises that are playing havoc with online publishing. To understand what happened, let’s back up and explain what’s going wrong with online advertising and why a company like PageFair exists.

It’s probably no surprise that people don’t look at online ads. They fetch a fraction of the revenue that print ads do; and as newspapers, magazines, and other publishers lose print subscribers, money is getting tight.


On top of that, more people are completely eliminating ads from view by installing ad-blocking software, usually industry leader AdBlock Plus, which has had more than 300 million downloads. An August 2015 report by PageFair itself puts the estimated cost of lost online ad revenue for 2015 at $21.8 billion globally. Things got potentially much worse for online publishers in September when Apple released its latest mobile operating system, iOS 9, which allows ad blockers on iPhones and iPads for the first time, (although they have since been removed).

It’s no wonder why people block online ads. The worst of them blink, cover over what you are reading, or play annoying animations to draw your attention to low mortgage rate offers. Running all those ads slows down page loading times and sucks up bandwidth. Even worse, some ads actually install malware on readers’ systems because hackers routinely infiltrate online-advertising networks and replace the legit (if annoying) ads with booby-trapped versions. “The advertising industry is not very good about filtering that stuff out,” says Chase Cunningham, threat intelligence lead at security firm FireHost (now Armor Defense), when we spoke to him earlier this year about some of the biggest online dangers people face.

That explains why companies that make ad-defeating software, of which AdBlock Plus is by far the biggest, are doing such a brisk business. According to the same PageFair report, about 16% of Americans (that’s 45 million people) have installed ad-blocking software. That’s about twice as many as a year earlier. Seventy-seven million Europeans are also blocking ads.

Irony Number 1: The Biggest Ad Blocker Lets Ads Through

AdBlock Plus’s creator, Eyeo, professes on its home page to not be against all advertising, just the really annoying stuff. By default it allows through ads on a preapproved “whitelist” that conform to its acceptable ad guidelines (no animation, no covering over what people are reading, etc.). Just as Google sets the de facto standards for how to optimize sites for search engines, Eyeo is on its way to setting the global standards for advertising. Just as SEO experts make a living by mastering the intricacies of Google’s methods, PageFair is trying to do business as a middleman between web publishers and Eyeo.

Dublin-based PageFair was founded in 2012 to help web publishers use only ads that conform to Eyeo’s whitelist. One of the things PageFair offers is an analytics tool for clients to see how well their ads are doing. It’s the tool, a bit of JavaScript code that runs on publishers’ sites, which the hackers exploited, by replacing it with their own malicious JavaScript.


Security experts and journalists have written until they’re blue in the face telling people to uninstall or disable something called Java, which could allow a website or remote hacker to execute code on someone’s computer. But JavaScript, which has virtually nothing to do with Java, is generally considered okay, or at least a tolerable potential vulnerability. The PageFair hackers secretly replaced the fine JavaScript that pages usually serve with their own malware, which infected sites for one hour and 23 minutes before PageFair was able to fully shut it down.

Irony Number 2: A High-Tech Company Falls For A Low-Tech Trick

They were able to do this by using what is becoming the oldest trick in the book: a technique called spear phishing. Everyone has probably gotten what’s called a phishing email—a generic note purporting to come from, say a bank or FedEx, asking you to click a link and do something like update account information. It then sends people to a bogus web form where victims diligently enter all the personal info that identity thieves need.

Spear fishing is a more clever version that is targeted at a specific person or group of people, such as employees of a company. It uses emails tailored to those people, such as pretending to come from a mailing list they are on, or even from their own employer, vendors, or clients. It tends to have some info specific to the targets to make it look more legit. Hackers used that trick against PageFair, found at least one gullible employee, and eventually got enough info to be able to log into the company’s system and replace the JavaScript its clients serve on their pages. This highlights the dangers of a company that runs code on many other company’s sites.

Irony Number 3: This Time, It’s Not Adobe’s Fault

The hackers then used another classic trick: A bait-and-switch popup that asks people to install one piece of software, in this case an Adobe Flash update, but instead installs malware, in this case, apparently, a Trojan horse used to commandeer computers as slave nodes on what’s called a botnet (which can be used for processing big tasks like distributing spam or launching other cyberattacks). Adobe Flash is a favorite of hackers because it is so common on computers (though is generally not on mobile devices), and is so prone to having security vulnerabilities. But this time, Adobe is not to blame. The PageFair attackers didn’t take advantage of a vulnerability in Flash. Rather they took advantage of the fact that people are so used to Flash having vulnerabilities that they might instinctively click to download a patch.

Irony Number 4: An Attempt To Be More Trustworthy Just Backfired

It’s sad when bad things happen to good people—or at least, people who feel compelled to do good due to market forces. Most people are already wary of online marketers and advertisers, reported GfK., itself an online marketer, in a March 2014 survey of 1,000 Americans across five generations. Some of the painful truths include:

  • 88% are “somewhat to very concerned” about protection of personal data
  • 33% were affected at least once by misuse of their personal data
  • 54% say marketers and advertisers need to change their policies on use of personal data
  • Among the 23 categories of businesses they were asked about, respondents trusted marketers and advertisers the least (only 25% professed their trust).

For a lot of people, blocking ads just looks like the safest way to go. As the product name AdBlock Plus suggests, Eyeo is very good at this. Now companies trying to play by Eyeo’s rules just got a black eye from hackers.

This article has been updated to reflect the renaming of security firm FireHost.

About the author

Sean Captain is a Bay Area technology, science, and policy journalist. Follow him on Twitter @seancaptain.