Gumtree is a free classified advertising site and subsidiary of eBay particular popular in the UK, Australia, and South Africa. Gumtree is the number one local classifieds in Australia with 47.8M monthly visits* and was recently affected by a malvertising attack.
Threat actors hacked the account of an Australian legal firm called Concisus Legal to create a legitimate looking but fraudulent subdomain off their main server.
Legitimate domain:
Hostname: concisus.com.au
IP address: 203.170.87.121
Rogue advertiser:
Hostname: ads.concisus.com.au
IP address: 46.165.218.138
In addition to using a different server infrastructure, the fraudulent advert is served via HTTPS, while the legal firm’s site is only using plain HTTP. This is a technique we have observed several times before.
The rogue advertisers simply lifted the company logo and some text from their website to create what looks like a typical ad banner. They then approached ad networks and pretended to want to advertise under the disguise of the victims they abused.