Analyzing A Sophisticated, Large-Scale Malvertising Campaign

881

Researchers at leading cyber-security vendor Check Point have shown how criminals are using a new and complex method to abuse the digital infrastructure of the online advertising industry to spread malware to millions of online surfers worldwide.

This is widely known as ‘malvertising’ and, in this case, started with the compromising of thousands of WordPress websites, involves multiple parties in the online advertising chain, and ends with the distribution of malware to web users globally.

The online advertising industry is based on three main elements:

1)      Advertisers who wish to promote their products or content.

2)      Publishers who allocate space on their website and sell it to Advertisers.

3)      Ad-Networks that bid to buy ad space and connect Advertisers to Publishers.

In addition to these parties are ‘Resellers’. These companies work with Ad-Networks to resell the traffic that Ad-Networks collect from Publishers on to other Advertisers.

The malvertising campaign discovered by Check Point reveals a disturbing partnership between a threat actor disguised as a Publisher(dubbed ‘Master134’) and several legitimate Resellers that leverage this relationship to distribute a variety of malware including Banking Trojans, ransomware and bots. Powering the whole process was the powerful Ad-Network, AdsTerra.

Master134 redirected stolen traffic from over 10,000 hacked WordPress sites and sold it to AdsTerra, the real time bidding (RTB) ad platform, who then sold it to Resellers (ExoClick, AdKernel, EvoLeads and AdventureFeeds).

These Resellers would then pass this traffic on to the highest bidding ‘Advertiser’. However, instead of the advertiser being a legitimate company selling actual products, these ‘advertisers’ were criminals looking to distribute ransomware, banking trojans, bots and other malware.  In this way, cyber criminals are abusing the online advertising ecosystem, using it to bid alongside legitimate advertisers, like Nike or Coca Cola, but placing higher bids in order to have the ad-networks select their malware-laden ads to display on thousands of publishers’ websites instead of clean, legitimate ads.

The payment system in this scheme is also laundered, courtesy of the online advertising ecosystem.  Furthermore, malvertisers (threat actors disguised as advertisers) can even measure the ROI of their ad-spend in relation to the income gained by infected users paying the ransom to unlock their files following the malvertiser’s ransomware campaign, or cash drained from victims’ accounts following a Banking Trojan campaign. 

Fatal attraction towards malvertising

Malvertising is not a new phenomenon.  Over the past ten years, ads displayed on legitimate and often popular websites have emerged as a key way for criminals to infect unsuspecting computer users.  The ads often contain malicious code that exploits unpatched vulnerabilities in browsers or browser plug-ins, such as Adobe’s Flash Player, so that the user gets infected by ransomware, keyloggers, and other types of malware simply by visiting a site hosting the malicious link.

As such, the use of ad-blockers gained rapidly in popularity, with 22% of UK citizens now implementing them. But according to the Internet Advertising Bureau (IAB), this number has stalled due to publishers taking action to block site access to those with ad-blockers enabled.

So in February 2018, Google teamed up with the Coalition for Betters Ads to roll out an ad blocker on Google Chrome that now automatically strips ads from sites whose quality does not adhere to industry standards. However, Google’s adblocker concerns itself more with annoying and intrusive ads than malvertising, and is not the solution to ending this highly profitable form of cyber crime.

As mentioned earlier, advertisers use real time bidding platforms from resellers and ad-networks to bid in real time for the rights to display their ads to particular users, and those ads include custom JavaScript code that runs in user’s browsers.  The exact content users see depends on who they are, where they are, what device they’re using and other variables. This makes it incredibly difficult for both publishers and ad networks to conclusively review every version of an advert for malicious content.

The criminals behind ‘malvertising’ (threat actors disguised as advertisers) can even target users according to whether or not they have unpatched operating systems or browsers, and even specific device types. So, even if high-level scanning is done to ensure the creatives are clean, unless the exact combination of characteristics malvertisers are targeting is found, ad-networks are simply not going to detect the malicious activity.

The research clearly raises questions about the proper ad verification methods used in the online advertising industry and the current role of ad-networks in the malvertising ecosystem as a whole.  Companies are at best being manipulated, and at worst complicit, in powering these attacks.

Unfortunately, no matter how much awareness there is amongst users, due to the passive nature of malware being delivered simply by loading onto a user’s screen via a malicious ad, it will never be enough.  According to Check Point, as these attacks are targeted towards users’ devices rather than the network, organizations need a multi-layered approach to their cyber security to stay fully protected not only from known threats, but also against unknown malware and zero-day threats, like malvertising.