Hundreds million potential victims of a new advanced malvertising campaign

Experts at MalwareBytes uncovered a massive malvertising campaign, booby-trapped web ads went undetected for weeks leveraging on the Angler Exploit Kit.

In August, threat actors behind a number of major malvertising campaigns began to roll out new tactics to avoid the increasing scrutiny of security firms and law enforcement.

Security experts at MalwareBytes revealed that crooks behind the malvertising campaigns remained under the radar targeting tens of million visitors of popular websites.

The security experts discovered that the malvertising campaign was undetected for nearly three weeks, fraudsters leveraged several top ad networks to redirect visitors to domains hosting the popular Angler Exploit Kit, which was used to serve malware on the victims’s PC.

“Malicious actors registered to various ad platforms posing as legitimate advertisers and submitted their creatives (shown below) through Real Time Bidding. The companies they were purporting to represent appeared legitimate on the surface, with websites registered years ago with even some listed in the Better Business Bureau registry. This decoy worked well enough to fool many ad networks with direct ties to the major ones in the online ad industry.” explained the researchers at Malwarebytes. “The ads themselves were loaded directly from the rogue advertisers’ websites, which, as we will see it later, was part of the problem in compromising the advertising chain. However it is worth mentioning that the ads themselves were not booby trapped at all, which again made it more difficult to spot something suspicious.”

The cyber criminals exploited a number of the biggest ad networks and also smaller players including:

• DoubleClick (ad-emea.doubleclick.net)
• AppNexus (fra1.ib.adnxs.com)
• engage:BDR (delivery.first-impression)
• ExoClick (syndication.exoclick.com)
• adk2x.com
• rtbfy.com
• ecpmrocks.com
• teracreative.com

The list of affected websites is very long and includes domain with significant monthly traffic:

Site Name	Monthly Traffic (according to Similarweb)
ebay.co.uk	139M
drudgereport.com	61.30M
answers.com	53.8M
nuvid.com	51.50M
upornia.com	35.80M
wowhead.com	27.8M
ehowespanol.com	20.30M
eroprofile.com	15.60M
newsnow.co.uk	15.50M
talktalk.co.uk	11.10M
pornyeah.com	10.60M
manta.com	9.8M
iceporn.com	7.50M
streamsexclips.com	5M
xbabe.com	4.40M

The researchers at MalwareBytes included the following graphic in their analysis to explain the attack scenario, they highlighted the great effort into masquerading malicious domains used in the campaign in order to avoid detection including the traffic encryption and the use of URL shorteners.

 

Bad news for the million of visitors of the popular websites, simply by browsing the rogue domains they were instantly infected by the Angler Exploit Kit. Top five countries where users landed on Angler EK for this campaign are the US, UK, Australia, Poland and Canada.

“Among the kits were typical ad fraud and ransomware, attempting to target and exploit users throughout the US and UK.” explained the experts.

 

The worrying aspect of the story is that threat actors will continue to improve their techniques, the experts explained that some campaigns on the market are so advanced that will go unnoticed also to the security industry.

“While malvertising has made headlines during the past few months, the attacks that are documented publicly are only the tip of the iceberg,” explains Jérôme Segura, senior security researcher at Malwarebytes. “There are some campaigns that are so advanced that no one will ever see or hear about them, which is exactly what threat actors are hoping for.”

“In this cat-and-mouse game, the initiators will always have the advantage, that window of opportunity to distribute malware before their scheme is exposed,” he added. “This latest malvertising campaign underlines the importance of screening advertisers. If they have the ability to host and serve ad content themselves, there are obvious problems.” “The ad could be clean or booby trapped, but the rogue actors are in full control of the delivery platform and can instruct it to perform nefarious actions that will easily bypass most security checks,” Segura concludes.

Pierluigi Paganini

(Security Affairs – malvertising, cybercrime)