A malvertising campaign affecting the websites of several major companies went undetected for almost three weeks, according to antivirus firm Malwarebytes.
Malvertising operations have become increasingly common because they allow cybercriminals to push malware onto victims’ computers without having to trick them into downloading email attachments or clicking on links.
The latest attack observed by Malwarebytes managed to stay under the radar for almost three weeks because the attackers used some clever techniques to avoid detection.
First of all, they registered on various ad platforms using companies that appeared legitimate — their websites had been created years ago, and some of them were even listed by the Better Business Bureau. The attackers managed to trick many advertising networks, including ones that had ties to major industry players such as DoubleClick, AppNexus, engage:BDR, and ExoClick.
As a result, the malicious advertisements reached the visitors of many high-traffic websites, including eBay, Drudge Report, Answers.com, eHow Espanol, TalkTalk, News Now, and Manta.
Once they tricked ad platforms into thinking that they were representing legitimate companies, the cybercriminals used real-time bidding to push their ads. One of the factors that made this campaign difficult to spot was the fact that the advertisements themselves were not malicious, Malwarebytes explained.
The attackers had been able to redirect victims to their malware-serving websites by loading the ads directly from a rogue ad server. Users were taken via URL shorteners or custom APIs to Angler exploit kit landing pages set up to push ransomware or ad fraud malware by exploiting vulnerabilities in unpatched software.
According to Malwarebytes, the highest number of users who accessed the exploit kit landing pages were located in the U.S. (46%) and the U.K. (36%). The security firm alerted advertisers and they took steps to disrupt the campaign.
“While malvertising has made headlines during the past few months, the attacks that are documented publicly are only the tip of the iceberg. There are some campaigns that are so advanced that no one will ever see or hear about them, which is exactly what threat actors are hoping for,” Jérôme Segura, senior security researcher at Malwarebytes, wrote in a blog post.
“This particular case is a good illustration of why screening advertisers is so important, especially when they are allowed to host and serve the ad content themselves. The ad could be clean or booby trapped, but the rogue actors are in full control of the delivery platform and can instruct it to perform nefarious actions that will easily bypass most security checks,” the expert added.