Cyber Incident Victim: LiveJournal
Date:
Mar 2016
Location:
United States of America
Summary
LiveJournal and another social platform were compromised via malvertising attacks leveraging domain shadowing and fingerprinting techniques to evade detection. Cybercriminals used stolen credentials to create fraudulent subdomains hosting malicious ads distributed through an ad network, employing Google open redirects to deliver the Angler exploit kit. The attackers selectively targeted vulnerable users by fingerprinting systems for outdated software or absent security tools, while avoiding protected devices. This campaign automatically exposed visitors to malware without requiring ad interactions, exploiting a vulnerability in Internet Explorer to scan local systems for security products and research environments.
| CIA Posture | Motives | Tactics, Techniques & Procedures |
|---|---|---|
| Available to members | 3 motives | 5 techniques |
| Threat Actor | Type | Location |
|---|---|---|
| 1 actor | Available to members | Available to members |
Description
In March 2016, livejournal.com and likes.com were compromised through malvertising campaigns distributing the Angler exploit kit via the AppNexus ad network. Attackers obtained credentials from legitimate businesses through phishing or password-stealing malware installed on administrators' machines. They registered subdomains on compromised domains—crea.bouquetsandbunting.co.uk for likes.com and apis.arthurspools.com for livejournal.com—to host fraudulent ad banners mimicking legitimate content. These ads bypassed security screenings through domain shadowing, a technique exploiting stolen credentials to create malicious subdomains under legitimate domains. The attackers initially served clean advertisements to establish credibility with ad platforms before selectively delivering malware. Users were exposed automatically upon visiting the sites without needing to interact with the ads. Both attacks leveraged Google open redirects to funnel traffic through trusted domains before redirecting to Angler exploit kit landing pages.
The campaigns employed fingerprinting to evade detection and maximize infection success rates. Attackers used a vulnerability in Internet Explorer to scan victims' local hard drives for security software artifacts, anti-malware tools, sandbox indicators, or honeypot signatures. This reconnaissance allowed the exploit kit to abort attacks on systems running protective software like Malwarebytes, focusing only on vulnerable targets with outdated software or no security measures. The operation specifically targeted livejournal.com's 140 million monthly visitors and likes.com's 110 million users. No containment actions by the affected platforms or AppNexus were described in available reporting. The primary documented consequence was unauthorized malware distribution through compromised advertising channels, exploiting the sites' high-traffic audiences. Prevention relied on user-side measures including software updates and security tools that could trigger fingerprinting-based abort mechanisms.