“They could hijack referral commissions destined for others”
UPDATED 15.20GMT March 14, 2019 with corrections, comment from Sizmek.
Hackers have been caught selling access to a user account of Sizmek, an American online advertising platform that works with Gannett and Fox Broadcasting.
Security researcher Brian Krebs discovered the account for sale on a Russian-language cybercrime forum. The bidding starts at $800 for an account the hackers say allows you to: “Add new users to the ad system, edit existing ones and ad offers.”
See also: HolaVPN Network: Unencrypted and Abused?
If a threat actor buys access to this type of account they could use it as a platform to infect existing ad campaigns “by inserting malicious scripts into the HTML code of ads that run on popular sites. Or they could hijack referral commissions destined for others and otherwise siphon ad profits from the system,” Krebs notes in his security blog.
Austin-based Sizmek runs its advertising platform across 70 countries where it connects to over 20,000 advertisers and 3,600 agencies. A hacker with access to this ecosystem could conduct a series of malware campaigns targeting unsuspecting shoppers.
Sizmek told Computer Business Review in an emailed statement: “Recently, a report surfaced on a cybersecurity blog site claiming Sizmek’s ad serving platform (Sizmek Ad Suite or SAS) had been compromised, suggesting that nefarious or unscrupulous behaviors occurred within our platform causing a breach.”
“We can confirm that no instance of account anomalies or code discrepancies from outside influences have been detected in our system.”
“Security is a priority for Sizmek and we are committed to protecting our platform with the utmost vigilance. In this situation, we were alerted about a possible internal login being exposed. Following the resolution of the incident, we undertook a comprehensive review to confirm that no unauthorized logins or accounts appeared in our system and remove any user lists that were not absolutely validated.”
The company added: “Our team is constantly monitoring for signals of irregular or unusual activities in our platforms and we take strong protective measures to ward off unscrupulous behaviors. In any case, we go to extraordinary lengths to immediately address and further buttress our systems against possible harms.”
Sizmek General Council George Pappachen informed Krebs that they believe the account identified for sale online was a regular user account and did not have high level administration access as the hacker had claimed.
He said: “It seemed like [the screenshots were accounts from] past employees. I think there were even a couple of vendors that had access to the system previously.”
It is still unclear what the vector of attack was that allowed the seller to gain access to the account. One theory is that a simple password spraying attack got a hit.
Password spraying is the term associated to an attack on an account login page that uses account user names in conjunction with commonly used passwords such as qwerty12345, month/year combos or the organisations name and a number.
The FBI believe that the recent breach of American software giant Citrix was caused by a hacker utilising a password spraying attack.