Security

How hack on 10,000 WordPress sites was used to launch an epic malvertising campaign

Crooks exploited legit web ad ecosystem – researchers

By John Leyden

27 SHARE

Security researchers at Check Point have lifted the lid on the infrastructure and methods of an enormous "malvertising" and banking trojan campaign.

The operation delivered malicious adverts to millions worldwide, slinging all manner of nasties including crypto-miners, ransomware and banking trojans.

The researchers told The Register that they have observed over 40,000 infection attempts per week from this campaign (that is, at least 40,000 clicks on malicious adverts) and said the campaign was still active. They reckon the crims are getting a decent return on their ad spend so they can afford to outbid legitimate publishers.

Check Point claimed that the brain behind the campaign – whom it dubbed Master134 – redirected stolen traffic from over 10,000 hacked WordPress sites and sold it to AdsTerra, a real-time bidding ad platform. They wrote that AdsTerra then sold it via white-label ad-serving tech from AdKernel* and advert resellers (ExoClick, EvoLeads and AdventureFeeds) which then went on to sell it to the highest bidding "advertiser".

However, the security researchers claimed, these "advertisers" were actually criminals looking to distribute ransomware, banking trojans, bots and other malware. The infected adverts then appeared on the websites of thousands of publishers worldwide, instead of clean, legitimate ads.

The ads often contained malicious JavaScript code that exploits unpatched vulnerabilities in browsers or browser plug-ins, such as Adobe's Flash Player, so that the user gets infected by ransomware, keyloggers, and other types of malware simply by visiting a site hosting the malicious link. This is a well-known hacker tactic that dates back at least 10 years or more.

Check Point said the criminals made a laughing stock of the legitimate online advertising ecosystem. They even measured the return on investment of their ad spend by comparing it to the money they made from crypto-mining and ransoms.

The payment system in this scheme also laundered the proceeds, courtesy of the online advertising ecosystem, the researchers claimed.

Master134 and commander

What started out as the compromise of thousands of websites – all using WordPress v.4.7.1 and thus vulnerable to remote code execution attacks – took in multiple parties in the online advertising chain, and ended with the distribution of malware to web users globally, the researchers said.

They added that campaign revealed a partnership between a threat actor disguised as a publisher (dubbed "Master134") and several legitimate resellers.

The criminals behind the "malverts" can even target users according to whether or not they have unpatched operating systems or browsers, and even specific device types. Due to the simple lack of verification tech in the field, ad networks are simply not going to detect the malicious activity.

The exact content users see depends on who they are, where they are, what device they're using and other variables. This makes it incredibly difficult for both publishers and the ad industry to conclusively review every version of an advert for malicious content.

Check Point's research raises questions about the ad verification methods used in the online advertising industry in the malvertising ecosystem as a whole. Check Point suggested the companies were being "manipulated" in powering these attacks.

El Reg invited AdsTerra, AdKernel, AdventureFeeds and EvoLeads to comment. We'll update this story as and when we get a response. ®

Updated to add

* AdKernel has been in touch to say it is not an ad reseller but rather a white-label ad-serving tech firm. It told us: "[R]ooting out malware is critical to our organization and we offer our customers many tools and technologies to address these issues. Yet it is up to the individual customer to determine how they manage malware within their ad stream."

Sign up to our NewsletterGet IT in your inbox daily

27 Comments

More from The Register

This week, we give thanks to Fortinet for reminding us what awful crypto with hardcoded keys looks like

Roundup Plus more from the world of infosec

Russian super-crook behind $20m internet fraud den Cardplanet and malware-exchange forum pleads guilty

Now 29-year-old faces years in the clink after long battle to bring him to justice

Cyber-sec biz Fortinet coughs up $545,000 after 'flogging' rebadged Chinese kit to Uncle Sam – but why so low? We may be able to explain

Rogue employee takes blame, seems he ain't no Fortinet son

As miscreants prey on thousands of vulnerable boxes, Citrix finally emits patches to fill in hijacking holes in Gateway and ADC

SD-WAN WANOP will have to wait a few days, though

Want to live long and prosper? Avoid pirated, malware-laden Star Wars free vid streams – and pay to watch instead

Poisoned movie feeds will do more damage than an angry Dalek

Harassment, hate and bile, suicide instructions for kids... anything else social media's good at? Ah yes, cybercrime

Businesses as well as ordinary punters hit by viral nasties

Antivirus hid more than 9,000 'cybercrime' reports from UK cops, says watchdog

Detailed info wound up in quarantine

While Apple fanbois rage at Catalina, iGiant quietly drops iOS and macOS security patches

RCEs and all sorts of other vulns plugged, so get installing

They say piracy killed the Amiga. Know what else it's killing? Malware sales. Awww, diddums

BSides LV Trojan devs give up after seeing hard work ripped off, copied between crooks

New year, new critical Cisco patches to install – this time for a dirty dozen of bugs that can be exploited to sidestep auth, inject commands, etc

Data Center Network Manager bugapalooza with three must-fix flaws

Whitepapers

Evolving Datacenters without Complexity

In this session, we’ll talk about how IT leaders are advancing the capabilities of their datacenters to rise to today’s challenges. Our guest speaker, Chris Bradford, Product Manager at DataStax will bring first-hand expertise to a discussion with The Register host Elena Perez.

Delivering Instant Experiences: Optimizing the Performance, Cost and Capacity of Data-Driven Applications

The question is, how can you accelerate data processing to keep up with accelerating business demands for an instant experience? Get the answer to this question and more in this upcoming webinar hosted by The Register’s Elena Perez. With insight from Sheryl Sage, Director of Partner Marketing at Redis Labs, and Frank Ober, a Non-Volatile Memory Solutions Architect from Intel Corporation.

EMA Report: Network Detection and Response in the Cloud Comes of Age

"ExtraHop's new Reveal(x) Cloud SaaS offering for AWS takes the deployment burden away from AWS customers, enabling fast service provisioning and instant asset discovery, and providing threat detection, investigation, and response."

Detecting cyber attacks as a small to medium business

If security by obscurity is no longer an option, and inaction is a risk in itself, what can smaller enterprises do to protect themselves? Endpoint Detection and Response (EDR) solutions can go a long way towards minimising the level of threat, but they need to be chosen and used in the right way.