Opera Site Serving Malvertising

Monday, November 19, 2012 @ 04:11 PM gHale

Opera halted ad-serving on its portal as a precaution while it investigates reports surfers suffered exposure to malware simply by visiting the Norwegian browser firm’s home page.

Malicious scripts loaded by portal.opera.com were redirecting users toward a malicious site hosting the notorious BlackHole exploit kit, said a Romanian anti-virus firm BitDefender, which said it detected the apparent attack on its automated systems.

Malware Alert: USB Smart Readers
New Java Attack in Exploit Kit
Malware with Terms of Service Pact
Simple Works for Malware Writers

BitDefender said it warned Opera after it detected the problem on Wednesday. It seems likely the scripts had been loaded through a third-party advertisement, a practice commonly known as malvertising.

Opera, while not confirming the issue, did disable advertising scripts on its portal just in case.

The browser firm said: “We are investigating the claim, and while we are working with this, we have taken some precautionary measures just to be safe, such as disabling the ads temporarily on portal.opera.com,” Opera said in a statement.

A blog post by BitDefender said cyber crooks were using obfuscated script to hide the attack. The security firm said Opera fans suffered exposure simply by firing up the browser software.

“The hidden and obfuscated piece of code in the Opera Portal homepage inserts an iFrame that loads malicious content from an external source,” BitDefender said. “If the Opera user hasn’t changed their default homepage, active malicious content is loaded from a third-party website whenever they open their browser.”

In controlled tests, BitDefender researchers were served with a PDF-based exploit designed to infect a user with a freshly compiled variant of the ZBot (ZeuS) banking Trojan. The exploit served from a server in Russia, according to BitDefender.

“We have no indications that anyone was infected before or after we disabled the ads yesterday [Wednesday],” an Opera spokesman said.

Leave a Reply

You must be logged in to post a comment.