Ads on Match.com can let hackers hold computers for ransom: report

Members of Match.com in search of companionship were warned by security experts Thursday to expect something else as the British version of the popular online dating service is serving viruses to visitors through Web ads embedded with malware.

Internet security firm Malwarebytes said advertisements appearing on Match.com’s U.K. portal have been discovered to contain code that can let hackers to take control of a victim’s computer and hold it for ransom.

Jérôme Segura, a senior researcher with Malwarebytes, said the “malvertising” campaign had been brought to Match.com’s attention, but was “still ongoing via other routes” Thursday.

Malvertising is an attack method in which hackers surreptitiously hide malicious code inside ads that have been designed to exploit flaws in vulnerable Web browsers. Ads that appear legitimate are then sold to a website or a third-party supplier and set to load automatically when visitors land on a particular page or portal.

Under the right circumstances, the ad loads on the page and deploys malware that gives an attacker access to a victim’s computer.

Last month, an advanced-threat defense company, Cyphort, said the use of malvertising by cybercriminals has spiked 325 percent in only a year.

Match temporarily suspended advertising on its U.K. site, which successfully isolated the threat. The dating site said it had not been made aware of any users being affected by the malware.

Mr. Segura told the Washington Times that while his group’s alert only specifically applies to Match’s U.K. site, the same type of dangerous ads are affecting other sites “worldwide,” including ones popular in the U.S. and Canada, though he did not name any.

In the case of this particular campaign, Mr. Segura said hackers were able to obscure the malicious code through a series of shortened Google URLs that eventually pointed toward an exploit kit that would then be installed on a victim’s computer and inject Trojan viruses.

“Users with outdated browsing software or a plugin such as Flash, Silverlight, Reader or Java on their computers do not even have to click on one of the dodgy ads on the network. The malware simply silently loads, locks files on the computer and a few minutes later a message demanding the ransom is sent,” he wrote on the firm’s blog.

Additionally, Mr. Segura said attackers had designed the ads to install CryptoWall ransomware — a type of virus that encrypts the contents of a targeted computer and refuses to release it until a fee is paid, usually through digital currency, like Bitcoin, that can’t be traced back to the hacker.

“The cost per thousand impressions for the booby-trapped ad was only 36c, which is nothing compared to how much infected computers can bring in terms of revenues. For instance, CryptoWall demands $500 per victim,” Mr. Segura said.

According to Malwarebytes, the actors behind the Match.com campaign have been obscuring their malware through multiple layers that made it difficult to discover for security researchers, let alone ad networks and the site itself.

Match.com has 27.3 million visitors worldwide every month, but Malwarebytes said the attack was targeting users based in the U.K. According to SimilarWeb, Match has around 5.5 million users there.

“We take the security of our members very seriously indeed. We are currently investigating this alleged issue,” a representative for Match.com told The Register.

News of the malvertising campaign on Match.com comes amid the ongoing scandal surrounding Ashley Madison, the “Life is short, have an affair” hook-up site that was breached by hackers who then published the personal information of millions of paid users.

The CEO of Ashley Madison’s parent company resigned last month in the wake of the leak, and the company currently faces lawsuits from former customers in the U.S. and Canada. Separately, Hold Security reported last week that hackers had recently breached nearly 100 online dating sites and made off with the user credentials for registered members.