London Stock Exchange Site Served Up Malicious Ads, Fake AV

A malicious ad served up by third-party ad network Unanimis on the London Stock Exchange Website downloaded malware onto users' Windows machines.

The London Stock Exchange can't seem to catch a break. Less than 48 hours after a technical glitch stopped all trading, Google flagged the stock exchange's Website for malware.

Users trying to get to via Google Chrome or Mozilla Firefox were shown a warning page on Feb. 27 that warned the site may contain malware. Chrome and Firefox both use Google's malware blocklist to flag suspected sites.

Merely viewing the stock exchange's main homepage caused malware to be downloaded in a drive-by attack, Paul Mutton, an information security consultant based in Wiltshire, England, wrote on the High Severity security blog. He was alerted to the issue by some users on Twitter.

Google's Safe Browsing feature provides diagnostic information for the site's malware history. "Of the 281 pages we tested on the site over the past 90 days, 65 page(s) resulted in malicious software being downloaded and installed without user consent," the diagnostic page read on Feb. 27. The diagnostic page claimed to have found two scripting exploits, two Trojans and one exploit. A successful infection resulted in an average of five new processes on the compromised machine, according to the page.

The problem turned out to be a malicious advertisement being served up by a third-party ad network, according to the stock exchange. The malicious advertisement has been removed and the exchange was working with Google to take down the warning message, LSE said.

The London Stock Exchange site itself has not hosted any malware, nor has it been used to infect other sites, according to the diagnostic page. With "malvertising," cyber-criminals can easily use a large number of legitimate Websites to download malware in the background without directly compromising the sites, but indirectly via a malicious ad on a third-party network.

Malvertising have become a primary attack vector, according to Anup Ghosh, founder and chief scientist of Invincea.

In this case, the ad was being served up by third-party provider Unanimis and Borsa Italiana, and the malware was actually hosted on, a site that Google had already flagged as being suspicious, according to diagnostic page.

Compromised users were hit by a fake antivirus program which appeared in the system tray and prevented other processes such as Task Manager from running, Mutton said. The malware also changed the wallpaper to a text background that warned in bright red letters, "Warning! Your're in danger! Your computer is infected with spyware!"

The malware affected only the site's banner advertisements and did not compromise the rest of the stock exchange's Website, according to Unanismis. "The affected advertisements have been removed and all sites continue to operate normally," the company said. "For clarity the LSE Website was not impacted by this malware, not did it propagate malware," according to the statement.

A London Stock Exchange spokesperson told Mutton it was inaccurate to claim the stock exchange site was propagating malware since users had to click through to be infected, according to an earlier version of Mutton's post.