Cyber Incident Victim: Gumtree
Date:
Mar 2016
Location:
Australia
Summary
Gumtree, a major Australian classifieds platform, was compromised through a malvertising attack where threat actors hijacked a legal firm's account to create a fraudulent subdomain hosting malicious advertisements. The attackers impersonated the legitimate business by stealing branding elements and alternating between benign and malicious ads to evade detection. Malvertisements were distributed via an ad network, ultimately delivering the Angler Exploit Kit to users' systems. The incident involved a sophisticated infrastructure setup with HTTPS encryption distinguishing the rogue server from the victim's HTTP site. Security researchers promptly notified the affected ad network and law firm, leading to rapid account deactivation.
| CIA Posture | Motives | Tactics, Techniques & Procedures |
|---|---|---|
| Available to members | 1 motive | 1 technique |
| Threat Actors | Type | Location |
|---|---|---|
| 0 actors | Available to members | Available to members |
Description
On or around March 25, 2016, Gumtree.com.au—a leading Australian classifieds platform with approximately 47.8 million monthly visits—was implicated in a malvertising attack distributing malware through its advertising ecosystem. Threat actors compromised the account of Concisus Legal, an Australian law firm, to establish a fraudulent subdomain (ads.concisus.com.au) hosted on a separate server infrastructure (IP address 46.165.218.138) distinct from the firm’s legitimate domain (concisus.com.au, IP 203.170.87.121). The attackers replicated Concisus Legal’s branding, including logos and textual content, to create deceptive ad banners that appeared authentic. A notable technical divergence was the use of HTTPS by the malicious subdomain, contrasting with the legitimate site’s HTTP protocol—a documented evasion tactic to bypass security scrutiny. These fabricated advertisements were then submitted to ad networks under the guise of legitimate marketing campaigns orchestrated by the compromised legal entity.
The malvertising attack chain originated on Gumtree.com.au as the publisher, routing through the AppNexus ad network (sin1.g.adnxs.com) to deliver the rogue advertisements from the fraudulent Concisus Legal subdomain. The final payload leveraged the Angler Exploit Kit to deploy malware, employing fingerprinting techniques to evade detection by security tools and network analysis systems. Attackers alternated between benign and malicious versions of the same advertisement to circumvent ad network vetting processes and prolong the campaign’s operational window. Malwarebytes researchers identified the threat and promptly notified AppNexus, which disabled the rogue advertiser account within minutes of receiving the report. Concurrently, Malwarebytes alerted Concisus Legal regarding the unauthorized use of its digital assets and infrastructure. The incident demonstrated the exploitation of trusted third-party entities to infiltrate high-traffic platforms, leveraging compromised credentials and domain impersonation to distribute malware through mainstream advertising channels.