Pierluigi Paganini January 16, 2015

Experts at Sucury firm have analyzed a malvertising scheme that has hijacked at least two distinct Google AdWords advertising campaigns.

Malvertising campaigns are one of privileged attack vector exploited by criminal crews, their efficiency depends on the ability of attackers to compromise large audience channels. In September 2014 Malwarebytes firm discovered a large scale malvertising campaign exploiting Google’s DoubleClick and popular Zedo advertising agency to deliver malicious ad, while earlier 2015 security company Cyphort has discovered another malvertising campaign that targeted several websites via AOL Ad-Network, including the Huffington Post.

The above examples are the demonstration of potential effects on a large scale for these malicious campaigns, millions of Internet visitors are exposed to the risk of infection, for this reason attacker consider the malvertising an efficient tactic for a campaign that needs to address the large number of users in the shortest time.

The last malvertising campaign was discovered by the experts at Sucuri firm, which discovered that at least two distinct Google AdWords advertising campaigns have been hijacked, redirecting users that just visited the sites hosting the malicious ads. The impact of this last attack is significant, considering that some of the affected websites are visited by more than a million monthly users.

“At least two AdWords campaigns have been hijacked by scammers who modified legitimate ads to automatically redirect visitors to scam sites once they get displayed (no clicks required). The malicious redirect worked even in the Ad Review Center of the Google AdSense dashboard on google.com site where webmasters may view ads that Google displays on their sites. This problem existed for about a month since the second half of December 2014, but became really widespread last Friday (Jan 9th 2015). By the end of the weekend, Google seemed to have been able to mitigate it.” wrote Denis Sinegubko, Senior Malware Researcher at Sucuri.

Sucuri noticed a large number of requests to scan websites for malicious code because they randomly redirected to some “magazine” websites, for example, a significant number of request referenced the lemode–mgz .com site.

“In all cases, the symptoms were the same. Some users randomly got redirected when they clicked on links or loaded new pages. They all reported that the new page would show up for a second or two and then it would redirect them to those magazine websites.”

Users who visited web sites containing the malicious ads, regardless of what type of browser they had been using, were redirected to bogus websites advertising several products and that appears to the victims like reputable magazines such as Forbes and Good Housekeeping.

The bad news is that visitors didn’t have to click on the ads in order to get redirected and the anomalous behavior also impacted webmasters when they was trying to access the Ad Review Center section of their Google AdSense dashboard. Google noticed numerous complaints submitted by affected webmasters on the Google AdSense support forum, then decided to block the malicious ads and informed customers to do the same from their accounts.

The two ad campaigns with the malicious banners that were identified for all sites and publishers are:

• Anonymous advertiser adv-2646721236434373 with ads that point to the adwynn .com.
• Blackburn ART with ads pointing to rgeoffreyblackburn .com site.

“When this information was shared on the forum, webmasters began to block ads from these two accounts.”

Sinegubko also explained that webmasters were not able to identify and block the malicious ads because they were immediately redirected to the scam after the ads were displayed in the Ad Review Center.

The experts have made the following assumptions on the attacks:

• Attackers hijacked the AdWords accounts of two legitimate advertisers to run their malvertising campaign. The accounts are still active because they contain also legitimate ads. Sinegubko speculates that the owners of the accounts probably didn’t have any active campaigns, so they haven’t noticed the malicious ads.
• Criminals have created the accounts to manage the campaign and added some legitimate ads to remain under the radar.

Sinegubko has many doubts about why Google has not blocked the malicious campaigns:

“I don’t know what prevented Google to suspend those accounts right away,” Sucuri wrote. “Maybe their budgets? According to the reports in [a Google production forum], quite a few large sites with millions of monthly page views suffered from those malicious ads. And I suspect those banners may have been displayed more than a million times since December across all the sites with AdSense ads.”

Pierluigi Paganini

(Security Affairs –  Malvertising campaign, Google)