Check Point Research has uncovered a giant malvertising campaign. It compromises a publisher (Master134), an advertiser (AdsTerra), threat actors who bid on the ad traffic and a number of resellers. The campaign is enabled by more than 10,000 compromised WordPress websites. All the websites were running WordPress v4.7.1 which was released in 2016.
The Check Point blog states: “The apparent collaboration between a malicious publisher and a variety of threat actors forms a disturbing scenario which impacts the online advertising industry. AdsTerra, a famous Ad-Network company, has been purchasing traffic from a known cybercriminal posing as an ordinary publisher, which obtains its traffic via malicious activities.”
How does this malvertising campaign work?
It starts with the compromise of the WordPress sites. The version of WordPress, v4.7.1, has a known vulnerability to Remote Code Execution (RCE) attacks. Researchers believe that Master134 compromised the sites and added a “jsquery.js” request that redirects visitors to his own site.
Master134 then redirects the traffic to websites owned by Ad-Network, AdsTerra. A series of redirects to malicious sites then follows. According to blog: “The list of redirection chains includes major players in the Exploit Kit landscape, along with some other malicious sites: Fobos, HookAds, Seamless, BowMan, TorchLie, BlackTDS and Slyip, all redirect to the Rig Exploit Kit. In addition, redirections to Magnitude Exploit Kit, GrandSoft Exploit Kit, FakeFlash and Technical Support Scams can also be found in the list.”
Is AdsTerra just an innocent party?
The role of AdsTerra is simply to offer ad space for rent. It provides a bidding platform for Advertisers who bid for the traffic. This is no different to many other advertising platforms on the Internet.
Check Point suggests that AdsTerra is not an innocent party in this web of deceit stating: “An examination of the purchases from AdsTerra showed that somehow, space offered by Master134 always ended up in the hands of cyber criminals, and thus enables the infection chain to be completed.
“In short, it seems threat actors seeking traffic for their campaigns simply buy ad space from Master134 via several Ad-Networks and, in turn, Master134 indirectly sells traffic/victims, to these campaigns via malvertising.”
It is also important to note that this is not the first time that AdsTerra has been named for its involvement with malvertising campaigns. Jerome Segura of Malwarebytes wrote this blog in 2016 highlighting the part AdsTerra played in distributing the Magnitude EK through malvertising.
Is this Zirconium all over again?
Last year, Confiant disclosed the details of Zirconium, another malvertising network. In that case, Zirconium created Ad Agencies, purchased traffic and created its own ads platform for others to use.
This attack is not quite as sophisticated as that. Master134 does not own everything but if threat actors are contracting directly with Master134 and it is paying the ad-networks to reroute and disguise the origins of the traffic, it is not far off. It also brings into question the innocence of everyone in the chain.
What does this mean
All of this creates a more complex downstream problem for website owners. AdsTerra and the Resellers are distributing both legitimate content and malvertising. Website owners have no way of knowing what is being pushed to their sites. They simply put a piece of code on the site and allow the resellers to push ads to them.
Malvertising is difficult for users to spot and this malvertising attack shows how easy it is to get it distributed. It is time that the online advertising industry tightened up its approach to the problem. If ad-networks won’t take action then perhaps the industry needs better regulation.