More than 500 websites that used a free analytics service inadvertently exposed their visitors to a nasty malware attack made possible by a hack of PageFair, the anti-adblocking company that provided the analytics.

The compromise started in the last few minutes of Halloween with a spearphishing e-mail that ultimately gave the attackers access to PageFair's content distribution network account. The attacker then reset the password and replaced the JavaScript code PageFair normally had execute on subscriber websites. For almost 90 minutes after that, people who visited 501 unnamed sites received popup windows telling them their version of Adobe Flash was out-of-date and prompting them to install malware disguised as an official update.

"If you are a publisher using our free analytics service, you have good reason to be very angry and disappointed with us right now," PageFair CEO Sean Blanchfield wrote in a blog post published Sunday. "For 83 minutes last night, the PageFair analytics service was compromised by hackers, who succeeded in getting malicious javascript to execute on websites via our service, which prompted some visitors to these websites to download an executable file. I am very sorry that this occurred and would like to assure you that it is no longer happening."

According to security provider F-Secure, the remote access tool installed in successful attacks was called Nanocore, a full-featured piece of malware that logs passwords, takes webcam snapshots, and regularly reports to a server under the control of attackers to upload private data and receive new instructions.

Fortunately, the malware was detected by F-Secure and likely competing antivirus packages as well. Additionally, a large percentage of connections to the attacker servers failed. On top of that, NanoCore runs only on Windows, so people visiting on machines running other operating systems were immune to the attack. PageFair's Blanchfield estimated that only 2.3 percent of people visiting one of the 501 affected sites during the attack would have been at risk of being infected. Still, the incident is the latest to show how people visiting known sites can still be exposed to drive-by attacks with serious consequences.