Cyber Incident Victim: Realtor.com
Date:
Sep 2015
Location:
United States of America
Summary
A malvertising campaign targeted a prominent real estate website, exposing visitors to malware infections without requiring interaction with fraudulent ads promoting legitimate products. Attackers employed stealth tactics and SSL encryption to evade detection, distributing the Bedep Trojan via the Angler exploit kit to compromise unpatched systems lacking adequate security, potentially enabling ad fraud and ransomware. The malicious ads were disabled after notification to the affected platform and its ad-serving provider, though the incident impacted a site with substantial monthly traffic. Users of specific anti-exploit software were protected from the attack.
| CIA Posture | Motives | Tactics, Techniques & Procedures |
|---|---|---|
| Available to members | 1 motive | 1 technique |
| Threat Actors | Type | Location |
|---|---|---|
| 0 actors | Available to members | Available to members |
Description
In September 2015, realtor.com—a prominent real estate platform with approximately 28 million monthly visitors—experienced a malvertising attack impacting users browsing the site. The attack involved fraudulent advertisements that mimicked legitimate promotions for real products or services, distributed through the site’s ad network. Threat actors employed stealth tactics, including SSL encryption for malicious ad traffic, complicating detection and attribution efforts. Visitors were exposed to the Angler exploit kit, which delivered the Bedep Trojan without requiring interaction with the bogus ads. Systems lacking updated security patches or adequate protection were vulnerable to infection. The Bedep Trojan facilitated ad fraud and ransomware operations, indicating financial motives behind the campaign. The same threat group responsible for prior documented malvertising campaigns orchestrated this attack, demonstrating persistent targeting of high-traffic websites. Malwarebytes researchers identified the threat and confirmed that users of their Anti-Exploit product were shielded from the exploit kit’s payload.
The attack prompted Malwarebytes to notify both realtor.com and AdSpirit, the ad-serving platform hosting the malicious creative. AdSpirit disabled the compromised advertisement following the alert, mitigating further exposure. The incident underscored the challenges of combating malvertising, particularly as attackers increasingly leveraged encryption to evade scrutiny. No specific details regarding the number of infected users, data breaches, or operational disruptions to realtor.com were disclosed in available reporting. The event occurred amid broader industry debates about online advertising risks, amplified by Apple’s contemporaneous introduction of ad-blocking tools. Malvertising’s ability to compromise reputable sites without direct user interaction highlighted systemic vulnerabilities in digital advertising ecosystems. Realtor.com’s prominence as the third-ranked real estate site by traffic volume amplified the campaign’s potential reach, though containment actions limited its duration.