Security Experts:

Advanced Malvertising Campaign Exploits Online Advertising Supply Chain

Malvertising Campaign Steals Traffic From 10,000 Hacked WordPress Sites and Exploits the Online Advertising Supply Chain

[UPDATED] Malvertising is neither a new nor insignificant threat -- nor is there any easy solution to stop it. It is the abuse of the online advertising industry to deliver malware disguised as or hidden within seemingly innocuous advertisements.

Researchers at Check Point have discovered what they describe as the infrastructure and methods used in a large ‘malvertising’ and banking Trojan campaign, which delivers malicious adverts to millions worldwide through the HiBids online advertising platform. 

The campaign starts with a threat actor that Check Point describes as 'Master134'. He sold stolen web traffic from 10,000 hacked WordPress sites to, say the researchers, "AdsTerra, the real time bidding (RTB) ad platform, who then sold it to Resellers (ExoClick, AdKernel, EvoLeads and AdventureFeeds)."

The researchers told SecurityWeek, "The traffic is stolen from the compromised WordPress sites via a known exploit on that platform, which enables the actor to insert a redirection to his malicious infrastructure."

Once this traffic has passed through AdsTerra, the resellers sell it to the highest bidding advertiser. Unfortunately, the return value on malware distribution is (almost) immediate via malwares such as ransomwares, miners, and banking trojans. Due to the large return on those malwares, malicious actors can usually afford to out-bid legitimate publishers. 

"In this way," say the researchers, "cyber criminals are abusing the online advertising ecosystem, using it to bid alongside legitimate advertisers, like Nike or Coca Cola, but placing higher bids in order to have the ad-networks select their malware-laden ads to display on thousands of publishers’ websites instead of clean, legitimate ads."

Check Point does not provide details of the malware being distributed through this particular campaign, nor any of the publications that receive and unwittingly transmit the malware to innocent visitors. It merely states, "The ads often contain malicious code that exploits unpatched vulnerabilities in browsers or browser plug-ins, such as Adobe’s Flash Player, so that the user gets infected by ransomware, keyloggers, and other types of malware simply by visiting a site hosting the malicious link."

Luis Corrons, security evangelist at Avast, told SecurityWeek that past malvertising campaigns "have affected some of the biggest news sites, such as The New York Times, Huffington Post, Forbes, The Daily Mail and more. In order to go undetected, some of these attacks just last a few seconds each wave, to make it harder to track the source of the infection. JavaScript Monero miner even got to YouTube through an ad network last January."

SecurityWeek asked AdsTerra for a comment on malvertising and the Check Point report, but we have so far received no reply to our email. Of the two telephone numbers we were able to find, one is a mobile number (supposedly in Singapore) that was switched off, while the other (supposedly in Gibraltar) just terminated. AdsTerra, according to its website, is headquartered in Limassol, Cyprus; while Europages lists an address in Gibraltar.

Online advertiser reviews, however, provide a glowing endorsement for the organization; with one saying that AdsTerra is particularly strong on popunder adverts. Popunders are among the sneakiest of advertisements. Rather than run the risk of being closed by the user as soon as it is seen, popunders open in a new window underneath the current browser window and remain unseen until the focus window is closed. "That’s one of the main streams of malvertising," Check Point told SecurityWeek.

There is no easy defense against malvertising. Ad blockers work, but more and more publishers are blocking access to their pages when they detect a blocker. Users must either pay a subscription for no adverts, accept they cannot view the page they want, or receive the adverts that could potentially contain malware or malicious links.

Greater responsibility -- perhaps even legal liability -- on the advertiser would help. Corrons suggests, "A content check should be performed by the ad network (on both the advertisements and the landing pages)." He would also like to see greater active monitoring, background checking on the publishers, and legal contracts with high fines if the content is not secure.

Little of this currently happens. "Due to the really fast transactions, and the sheer volume of advertisements, we believe that there is no real-time monitoring by humans," Check Point told SecurityWeek. "Resellers need to know that their customers are 'bad guys', but most of them preform no vetting of their customers."

Trusting to luck is not a good security defense; but it seems that the most many users can do against malvertising is use an ad blocker, maintain an up-to-date anti-virus solution, minimize local vulnerabilities with judicious patching -- and trust to luck when all else fails.

[Update] - After publishing, Adsterra responded to SecurityWeek, saying that the ad network does not accept traffic from hacked/hijacked sites. 

"All publishers accounts that were mentioned in that article have been suspended," a company spokespsrson told SecurityWeek via email. "Malware ads are prohibited in Adsterra Network and we have a monitor system that checks all campaigns and stops all suspicious campaigns. However the logs from the article demonstrate that those ads came from 3rd party networks which are hard to control. 3rd party ads served by other ad networks connected to our supply using RTB/XML protocols. We will contact the networks that were mentioned in that article and notify them of the problems discovered. We will thoroughly check the information from the article and update our compliance policies and monitoring software accordingly."

Related: Fake Flash Player Ads in Skype Lead to Malware 

Related: Time to Detect Compromise Improves, While Detection to Containment Worsens

*Updated with response from Adsterra

view counter
Kevin Townsend is a Senior Contributor at SecurityWeek. He has been writing about high tech issues since before the birth of Microsoft. For the last 15 years he has specialized in information security; and has had many thousands of articles published in dozens of different magazines – from The Times and the Financial Times to current and long-gone computer magazines.