While analyzing recent drive-by download attacks, security researchers have uncovered a large malvertising operation that infiltrated the legitimate online ad ecosystem and abuses more than 10,000 compromised websites.
Malicious advertising, or malvertising, is the practice of displaying rogue ads on legitimate websites without their owners’ consent or knowledge. This has been a very popular attack vector for many years and even led to an investigation by the U.S. Senate in 2014.
In response, ad networks, which are responsible for delivering ads to content publishers, have strengthened their defenses against fraud and abuse, but as researchers from Check Point recently found, cybercriminals still find ways to bypass those checks on a large scale.
In addition to scam and scareware, malicious ads are frequently used to direct unsuspecting users to exploit kits, web-based attack tools that attempt to exploit vulnerabilities in browsers or their plug-ins. Flash Player, Java and Silverlight have been common targets over the years.
Exploit kits are not as popular with cybercriminals as they used to be, because the targeted applications have incorporated sandboxing and other mechanisms that make exploitation more difficult. However, they’re still around and new ones are being created.
“Check Point Research has uncovered a large Malvertising campaign that starts with thousands of compromised WordPress websites, involves multiple parties in the online advertising chain and ends with distributing malicious content, via multiple Exploit Kits,” researchers from the security company said in a new report.
The researchers uncovered that a single threat actor, whom they dubbed Master134, is in control of more than 10,000 compromised websites. The sites all run an older version of WordPress that is vulnerable to remote code execution.
The threat actor appears to be posing as a publisher and sells ad space on these compromised websites through a large advertising network called AdsTerra. In turn, that ad space is bid on and bought through AdsTerra by several other reseller companies, which then sell it to advertisers who turn out to be almost exclusively cybercriminal groups that operate exploit kits.
This seems to be a full abuse of the advertising supply chain and it’s not clear if the advertising companies involved are having their security checks bypassed or are intentionally turning a blind eye to the malicious activity.
“Indeed, threat actors never cease to look for new techniques to spread their attack campaigns, and do not hesitate to utilize legitimate means to do so,” the researchers said. “However, when legitimate online advertising companies are found at the heart of a scheme, connecting threat actors and enabling the distribution of malicious content worldwide, we can’t help but wonder – is the online advertising industry responsible for the public’s safety? Indeed, how can we be certain that the advertisement we encounter while visiting legitimate websites are not meant to harm us?”
Unfortunately, malvertising is likely to remain a common attack vector for years to come, if not to direct users to exploit kits, then to trick them into downloading potentially unwanted applications. Malicious and annoying advertisements are frequently cited as the primary reasons for users installing ad blockers in their browsers, which hurts the entire online ecosystem and content creators in particular.