ThreatMetrix US Patents Press Releases

ThreatMetrix Outlines Technical Threats Associated with Superfish Adware in Latest ThreatMetrix® Labs Report

Posted March 5, 2015


ThreatMetrix Labs Report Provides Information Regarding Superfish as “Man-In-The-Browser” Malware in Online Business and Banking Activities, Among Other Threats

San Jose, CA – March 5, 2015 – ThreatMetrix®, the fastest-growing provider of context-based security and advanced fraud prevention solutions, today announced the release of its most recent ThreatMetrix® Labs report outlining the technical threats associated with adware such as Superfish, which prompted international backlash when it became public that the malware came pre-installed on many Lenovo laptops.

The ThreatMetrix Labs “Superfish Adware – A Closer Look” report outlines in detail the nature and behavior of Superfish and similar adware, comparing them to “man-in-the-browser” (MitB) banking Trojans. The report also looks at Superfish’s HTML injection through browser add-ons and what sensitive information this injection lets injected Javascript access. In addition, it delves into the issues associated with Superfish and other adware tools using Komodia’s library for ad injection installing a Certificate Authority (CA) into users’ browsers. These are protected only by easily-obtained weak passwords, enabling fraudsters to easily impersonate legitimate website certificates.

“Data from the ThreatMetrix Global Trust Intelligence Network shows that the Superfish Adware has been an increasing threat since October 2014,” said Andreas Baumhof, chief technology officer at ThreatMetrix. “While this isn’t a new threat, its recent exposure has left many businesses and consumers questioning what they should know about its threats and how to protect against it. Since it has been around for some time and ThreatMetrix has long had capabilities to detect these kinds of threats, we provide technical details surrounding Superfish and its implications.”

Depending on the page accessed, the Javascript injected by Superfish has full access to a wide range of sensitive information. For example, the ThreatMetrix Labs report outlines the information that can be accessed by this Javascript code when a user visits a website, including cookies, local storage information, any Document Object Model (DOM) element of the page, user input (such as form field data) and any events that are fired during the session (such as submission of a login form).

ThreatMetrix provides a malware detection service (a “Honeypot”) that allows its customers to detect the presence of malware strains like Superfish in real time without any interference in their customers’ journeys. This information is fully integrated into the analysis by the ThreatMetrix® Global Trust Intelligence Network (The Network).

“Whenever a strain of malware like Superfish grows this rapidly, online businesses and banks struggle to protect their customers against its threats – such as compromised sensitive information – without adding friction to the user experience,” said Baumhof. “ThreatMetrix’s honeypot detection techniques help businesses detect unauthorized webpage modification within a user’s browser as part of the user’s full risk assessment, all without any added steps to the customer journey.”

ThreatMetrix authenticates customer transactions using real-time identity and access analytics that leverage the power of the world’s largest shared intelligence network. The ThreatMetrix solution already protects leading online businesses and financial institutions against account takeover, payment fraud, and fraudulent account registrations as a result of stolen credentials obtained from malware, social engineering, phishing and data breaches.

The public ThreatMetrix Labs report can be downloaded here.

ThreatMetrix Resources

About ThreatMetrix

ThreatMetrix builds trust on the Internet by offering market-leading advanced fraud prevention and frictionless context-based security solutions. These solutions authenticate consumer and workforce access to mission critical applications using real-time identity and access analytics that leverage the world’s largest trusted identity network.

ThreatMetrix secures enterprise applications against account takeover, payment fraud, fraudulent account registrations resulting from malware, and data breaches. Underpinning the solution is the ThreatMetrix® Global Trust Intelligence Network, which analyzes more than one billion monthly transactions protecting more than 210 million active user accounts across 3,000 customers and 15,000 websites and mobile applications.

The ThreatMetrix solution is deployed across a variety of industries, including financial services, enterprise, e-commerce, payments, social networks, government and insurance.

For more information, visit or call 1-408-200-5755.

Join the cybersecurity conversation by visiting the ThreatMetrix blog, FacebookLinkedIn and Twitter pages.

© 2015 ThreatMetrix. All rights reserved. ThreatMetrix, TrustDefender ID, TrustDefender Cloud, TrustDefender Mobile, TrustDefender Client, the TrustDefender Cybercrime Protection Platform, ThreatMetrix Labs, and the ThreatMetrix logo are trademarks or registered trademarks of ThreatMetrix in the United States and other countries. All other brand, service or product names are trademarks or registered trademarks of their respective companies or owners.

Media Contacts
Jaci Robbins
Tel: 408-200-5718

close btn