Jump to content

Recommended Posts

Posted

3a29fc93d90bbf5cf892eb6381017479.png

 

Soccer, or rather football aficionados in the UK may have had their computers infected whilst browsing the Premier League’s official fantasy website fantasy.premierleague.com.

 

A malicious advert displayed on the sports portal which draws in over 16 million visitors per month according to SimilarWeb automatically redirected unsuspecting soccer fans to the Nuclear exploit kit.

 

The Flash-based ad for a British yacht company was hosted on a highly suspicious server and distributed over https, making detection at the firewall or gateway much more difficult because it would encrypt the content of the page.

 

The malvertising chain is familiar as it makes use of goo.gl URLs (Google URL shortener) which are injected dynamically within compromised or blackhat sites. Those shortened URLs are used and discarded frequently and yet, because they belong to Google, a trusted company, cannot be blacklisted entirely at the root domain level.

 

This particular attack redirects to the Nuclear exploit kit which makes use of Flash Player exploits to compromise the end-user machine.

 

dd9f390f412ab973eb14936d62a7cf7a.png

 

Besides hiding its IP address behind the CloudFlare service, this “advertiser” has a very short history. According to archiving website screenshots.com, the domain okzilla.com was up for grabs just a few months ago:

 

86cab5f2f6daba42841b9a00f07b9011.png

 

The barren website was put together in a hurry and has no contact details. We alerted the Premier League fantasy website and also reported the malicious shortened URL to Google.

 

We did not collect the malware payload associated with this campaign but Malwarebytes Anti-Exploit users were protected against this attack.

 

 

Source:

https://blog.malwarebytes.org/malvertising-2/2015/11/official-premier-league-fantasy-website-site-pushes-malvertising/

76c90dd0e79a714317a8daeecc1584d2.png

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

×
×
  • Create New...