View all newsletters
Receive our newsletter - data, insights and analysis delivered to you
  1. Technology
  2. Cybersecurity
July 30, 2018updated 31 Jul 2018 7:41pm

Shadowy Mastermind Using Stolen Traffic to Power “Malvertising” Campaign

"Master134" believed to be behind numerous other scams

By CBR Staff Writer

UPDATED 31st August 2018 17.53 with comment from AdsTerra, AdKernel

Researchers at Tel Aviv-headquartered cybersecurity vendor Check Point have identified a new malicious campaign that piggybacks on the infrastructure of high profile online advertising companies to spread a wide range of malware.

The so-called “malvertising” campaign, overseen by a cybercriminal dubbed “Master134”,  redirects traffic from over 10,000 hacked WordPress websites and sells it to well known real-time bidding (RTB) ad platform AdsTerra.

AdsTerra then resells the traffic to several other companies – in this case, ExoClick, AdKernel, EvoLeads, AdventureFeeds – who sell this traffic to their clients. Criminal advertising buyers, in turn, use clicks on corrupted ads to to spread a wide range of malware, including banking trojans.

Check Point said: “An examination of the purchases from AdsTerra showed that somehow, space offered by Master134 always ended up in the hands of cyber criminals, and thus enables the infection chain to be completed.”

Check Point has observed over 40,000 infection attempts per week (i.e. at least 40,000 clicks on malicious adverts weekly) and the campaign is still active.

AdsTerra told Computer Business Review in an emailed statement: “All publishers accounts that were mentioned in that article have been suspended. Malware ads are prohibited in Adsterra Network and we have a monitor system that checks all campaigns and stops all suspicious campaigns. However the logs from the article demonstrate that those ads came from third-party networks which are hard to control.”

Content from our partners
How businesses can safeguard themselves on the cyber frontline
How hackers’ tactics are evolving in an increasingly complex landscape
Green for go: Transforming trade in the UK

The company, which sent an unsigned email, added: “3rd party ads served by other ad networks connected to our supply using RTB/XML protocols.  We will contact the networks that were mentioned in that article and notify them of the problems discovered.”

AdsTerra added that it was updating its compliance policies and monitoring software.

Updated: AdKernel told Computer Business Review it is not an ad reseller but rather a “white-label ad-serving tech firm”, emphasising that two domains named by Check Point in its report are not owned by AdKernal, but its ad network clients.

It added: “Rooting out malware is critical to our organization and we offer our customers many tools and technologies to address these issues. Yet it is up to the individual customer to determine how they manage malware within their ad stream.”

 

 

How Does the Malware Advertising Process Work?

As Check Point’s team – who linked “Master134” to numerous other scams – put it: “We wouldn’t expect that a threat actor, such as the ones involved in the process, would be able to retain the advertising services of an Ad-Network company.

“Based on our findings, we speculate that the threat actors pay Master134 directly. Master134 then pays the ad-network companies… In such a scenario, Master134 plays a unique role in the cybercrime underworld; he is generating profit from ad revenue by working directly with AdsTerra and is successfully making sure this traffic reaches the right, or in our case – the wrong hands.”

What’s the Solution?

Asked by Computer Business Review what ad networks and resellers can do, a Check Point spokesman said: “Due to the really fast nature of the transactions, and the sheer volume of advertisements, we believe that there is no real-time monitoring by humans.”

They added: “The advert resellers need to know that their customers are ‘bad guys’, but most of them preform no vetting of customers on their part.  Ideally, we would like to see ad-networks do more in order to eliminate malicious advertisements.”

“As this malvertising campaign is all over the web, an effective approach for organizations to protect their networks is multi-layer protection – consisting of IPS on the network to prevent malicious redirections and remote code execution, but also sandboxing on employee endpoints to block zero-day attacks.”

Malvertising Proliferates

Malvertising is proliferating, muddying the waters of an already opaque online advertising environment.

Last month Bitdefender, for example, identified an “extremely sophisticated piece of rootkit-based spyware” that has been running covertly since early 2012.

The malware, “Zacinlo”, infects users’ computers and either opens invisible browser instances to load advertising banners in it, then simulates clicks from the user, or it replaces ads loaded naturally inside the browser with the attacker’s ads in order to collect the advertising revenue.

As Computer Business Review reported last month, the FBI is reported to be investigating media trading practices in the US advertising industry amid concerns about a lack of transparency and potential money laundering.

Websites in our network
Select and enter your corporate email address Tech Monitor's research, insight and analysis examines the frontiers of digital transformation to help tech leaders navigate the future. Our Changelog newsletter delivers our best work to your inbox every week.
  • CIO
  • CTO
  • CISO
  • CSO
  • CFO
  • CDO
  • CEO
  • Architect Founder
  • MD
  • Director
  • Manager
  • Other
Visit our privacy policy for more information about our services, how New Statesman Media Group may use, process and share your personal data, including information on your rights in respect of your personal data and how you can unsubscribe from future marketing communications. Our services are intended for corporate subscribers and you warrant that the email address submitted is your corporate email address.
THANK YOU