“It could be a high profile or an under the radar website and has the ability to spread through thousands of users before being found and stopped.“After the massive media attention that Ashley Madison has attracted, it stands to reason that similar infiltrations will also attract the same sort of short term awareness.
“[Plenty of Fish] need to ensure they are using a good ad server to manage their online advertising, vet the company and the provider to ensure it has a good reputation,” added James.“While also keeping the public informed of exactly what has and what is happening will help and offer some kind of credit monitoring service to anyone directly affected by the compromise.As Tech Crunch reported yesterday, the Vancouver, Canada-based online dating website Plenty Of Fish announced that it was getting acquired by Match Group, the subsidiary of IAC/Inter Active that also owns Match.com, Tinder, and OKCupid.After would-be adulterers lose sleep about their details being uncovered in the Ashley Madison data breach, singles looking for love on Plenty of Fish could be infected by malware.Security firm Malwarebytes has found the advertising network used on the site is dishing up fake ads that install malware on systems with out of date software like Internet Explorer or Adobe Flash.
If a dodgy link is clicked, an exploit kit searches for vulnerabilities and drops the malicious software onto the machine.
Some ads can even automatically install malware if it detects a PC that can be infected.
Malwarebytes believes the malware installed is Tinba, which is typically used to steal bank details.
The company stresses that Plenty of Fish’s servers have not been breached, so user information is safe – unlike that of millions of Ashley Madison users.
“Malvertising has been around for a while now and often is quite successful in its attack campaign because of the lack of interaction needed by the individual infected.
It’s not reliant on unpatched servers or vulnerabilities nor the reputation of the affected site,” explained Mark James, security specialist at ESET.