Both consumers and businesses have long made the assumption that malware is delivered in a variety of ways, but most are through accessing low-level websites or opening email. As with any form of cyber hacking, the criminals have developed even more sophisticated methods and the most recent has been sending malware through legitimate advertising areas. This process has opened the portal to unknowing consumers that are downloading everything from ransomware to banking Trojans by simply accessing what they thought were “safe” websites.
Leading cyber threat intelligence organisation, Check Point Research, discovered a rather elaborate malvertising campaign that has been tied to many of today’s companies responsible for online advertising. The Check Point Research report entitled “A Malvertising Campaign of Secrets and Lies” included the information regarding a threat actor group that made use of over 10,000 WordPress websites that had been compromised and used multiple exploit kits for the purpose of spreading malware.
Check Point Research referred to the group as “Master134” and reported that they were held responsible for a malvertising campaign that was incredibly well-planned and involved well-known resellers, publishers and networks. The main organisation that seemed to be powering the entire process is “Adsterra.”
This concept isn’t exactly “new” as many of the cybercriminals of the past have made use of unpatched WordPress sites to accomplish the same thing. The difference is that this group used channels that have long been considered to be “safer” due to reputations. From a technology standpoint, the way this works is that the criminals use the WordPress sites due to their vulnerability for attacks on remote code execution. They then redirect the site traffic to the pages that are operated by ad networks and they then redirect the unknowing user to a malicious domain that downloads the malware.
Reselling traffic date is big business and there are many organizations that accomplish this using perfectly legal and well-known methods. However, when the researchers at Check Point delved into how this traffic was being redirected, they found “an alarming partnership between a threat actor disguised as a publisher and several legitimate resellers.” The Check Point Research report indicated that Master134 sold the ad space or traffic to the Adsterra network and they then sold the data to such advertising resellers as AdKernal, ExoClick, AdventureFeeds, and EvoLeads who then sell the traffic to their clients.
The team at Check Point found a rather odd sale pattern involved in all of this. “All of the clients who bid on the traffic directed via AdsTerra, from Master134, happen to be threat actors, and among them some of the exploit kit land’s biggest players.” Although Check Point didn’t accuse Adsterra or any of the resellers for their knowing participation in this malvertising campaign, they did report that these networks had to “turn a blind eye” in order for this scheme to succeed.
“As we see the escalation of these types of malvertising campaigns both consumers and businesses need to recognise the importance of maintaining a high level of anti-virus, firewalls and network security. When it comes to the internet, there is no longer any aspect of “trust” that can be given. Malware is a huge threat and costs companies and individuals billions every year. In South Africa, one of the largest growing internet and technology groups on the globe, we need to place a priority on each and every aspect of cybersecurity. As professionals in dealing with cybersecurity, DaVinci Forensics works together to educate and inform so that we can assist in keeping all of your personal and proprietary data safe.”
Da Vinci Forensics