In an exclusive featured at TechWorld.com, research group Malewarebytes released information that Match.com users are at risk of a malware attack that can steal personal information, send spam emails through their accounts, and operate undetected inside their devices.
Early reports indicate that the malware, which mostly targeted UK users out of Match.com’s registered 21 million users, were hacked through ads on the website that installed ad fraud Trojans that would send high-volume requests to rogue advertising networks. The exploit takes the user to that site, which then re-infects the system with more malware. In some cases, users were also slammed with ransomware, a different kind of Trojan that holds the user’s device hostage unless they pay a set amount, like $500, to have control turned over to them. Worse, anyone using an outdated browser or plugin wouldn’t even have to click on one of the adds to be affected.
A full post from Malewarebytes is due later today to explain just how the malware works and its reach. The research group alerted Match.com yesterday of the hack, but the ‘malvertising campaign’ continues to be seen on company pages.
This isn’t the first time this year that Match.com has been reported to have weak security. Back in April it was exposing the passwords of millions of users by not properly securing their login page with HTTPS security; without it, users were vulnerable to man-in-the-middle attacks.
This is also just on the heels of extramarital dating match site Ashley Madison’s hack that released 37 million account holders private data into the wild. While speculated to be someone with insider access to the Ashley Madison accounts that released the data, the information exposed in this hack included not just email addresses but demographic details and both home and business addresses.
The focus for security is often on those two giants of the online world, e-commerce websites and financial institutions. Only recently have other industries, like health care and insurance, found themselves on the receiving end of successful hack attempts and are starting to look at ways to improve their defenses (from both breach loss and from fraudulent accounts). But what the Malewarebyte’s exposé on Match.com and the Ashley Madison saga has proved is that even innocuous sites are lucrative targets for that prime personal information – context. Context for what? Identity theft, fraudulent tax returns, any number of scams.
Companies have to learn that there are two responses to data security that must be carried out – that they not only have to be circumspect in protecting customer data but must make sure that stolen data can’t be used against them either. User behavior analytics protects both.