Hackers have exploited flaws in a popular open-source advertising software to place malicious code on advertisements on several popular Web sites over the past week.
The attackers are taking advantage of a pair of bugs in the OpenX advertising software to login to advertising servers and then place malicious code on ads being served on the sites. On Monday, cartoon syndicator King Features said that it had been hacked last week, because of the OpenX bugs. The company’s Comics Kingdom product, which delivers comics and ads to about 50 Web sites, was affected.
After being notified of the problem Thursday morning, King Features determined that “through a security exploit in the ad server application, hackers had injected a malicious code into our ad database,” the company said in a note posted to its Web site. King Features said that the malicious code used a new, unpatched Adobe attack to install malicious software on victims’ computers, but that could not immediately be verified.
Another OpenX user, the Ain’t It Cool News Web site was reportedly hit with a similar attack last week.
Web based attacks are a favorite way for cyber-criminals to install their malicious software and this latest round of hacks shows how ad server networks can become useful conduits for attack. In September, scammers placed malicious software on The New York Times’ Web site by posing as legitimate ad buyers.
This same technique that worked on King Features and Ain’t It Cool News was used to hack into at least two other Web sites last week, according to one OpenX administrator who spoke on condition of anonymity, because he wasn’t authorized to speak with the press.
Attackers used one attack to get login rights to his server, and then uploaded a maliciously encoded image that contained a PHP script hidden inside it, he said. By viewing the image, attackers forced the script to execute on the server. It then attached a snippet of HTML code to every ad on the server. Known as an iFrame, this invisible HTML object then redirected visitors to a Web site in China that downloaded the Adobe attack code.
OpenX said that it was aware of “no major vulnerabilities associated with the current version of the software – 2.8.2 – in either its downloaded or hosted forms,” in an e-mailed statement.
At least one OpenX user believes that the current version of the product may be vulnerable to part of this attack, however. In a forum post, a user said that he was hacked while running an older version of the software, but that the current (2.8.2) version is also vulnerable. “If you are running a current, unmodified release of OpenX, it is possible to anonymously log in to the admin site and gain administrator-level control of the system,” he wrote.
More details on the OpenX hack can be found here.
When researchers at Praetorian Security Group looked at the Adobe attack, it did not leverage the unpatched Adobe bug, said Daniel Kennedy, a partner with the security consultancy. Instead, the attack marshalled an assortment of three different Adobe exploits, he said. “We’re seeing no evidence that it’s the 0day that will be patched by Adobe in January.”
Security experts say that the Adobe flaw has not been widely used in online attacks, even though it has been publicly disclosed. On Monday, Symantec said it had received less than 100 reports of the attack.