How a massive campaign of booby-trapped web ads went undetected for too long

Security firm Malwarebytes has published a comprehensive analysis of a recently detected malvertising attack that affected many ad networks and ran uninterrupted for almost three weeks.

The tainted ad-slinging scheme affected large and small ad networks alike. What appeared to be legitimate advertisements were used to mask cunning techniques employed by cybercrooks in order to camouflage traffic redirections and evade detection systems. The campaign exposed surfers browsing popular websites to content served up from sites hosting the Angler Exploit Kit, currently the most advanced tool used in download attacks.

These assaults pushed ad fraud and ransomware to mostly US and UK surfers running unpatched systems. Outdated software like Adobe Flash and browsers are particularly vulnerable to this type of attack. Crooks paid for the privilege of serving up tainted ads, and the return on investment made it worth their while. Elaborate steps were taken to conceal the scam and keep it running for as long as possible before detection.

The list of affected publishers includes ebay.co.uk, drudgereport.com, answers.com, and a scattering of internet smut sites, as previously reported. Affected ad networks include DoubleClick, AppNexus, and more. All are inadvertent carriers of carefully smuggled, dangerous content.

The cybercrooks behind the campaign registered to various ad platforms posing as legitimate advertisers. Then they submitted their creatives through Real Time Bidding. Many of the websites had been registered years before and some were even listed with the Better Business Bureau. In reality the proxy firms were decoys only brought into play to fool ad networks.

Malwarebytes warns that tainted ad campaigns are becoming so sophisticated they might soon evade detection, at least during the timescale of brief runs typical of such cybercrime ops.

"While malvertising has made headlines during the past few months, the attacks that are documented publicly are only the tip of the iceberg," explains Jérôme Segura, senior security researcher at Malwarebytes. "There are some campaigns that are so advanced that no one will ever see or hear about them, which is exactly what threat actors are hoping for."

"In this cat-and-mouse game, the initiators will always have the advantage, that window of opportunity to distribute malware before their scheme is exposed," he added.

This latest malvertising campaign underlines the importance of screening advertisers. If they have the ability to host and serve ad content themselves, there are obvious problems.

"The ad could be clean or booby trapped, but the rogue actors are in full control of the delivery platform and can instruct it to perform nefarious actions that will easily bypass most security checks," Segura concludes.

Malwarebytes has passed on the findings of its research to ad networks, who have "taken the necessary steps to stop this campaign. But we will continue to monitor the situation to detect potential changes or migration into other ad networks," according to the security software firm. ®