Security

How hack on 10,000 WordPress sites was used to launch an epic malvertising campaign

Crooks exploited legit web ad ecosystem – researchers

By John Leyden

27 SHARE

Security researchers at Check Point have lifted the lid on the infrastructure and methods of an enormous "malvertising" and banking trojan campaign.

The operation delivered malicious adverts to millions worldwide, slinging all manner of nasties including crypto-miners, ransomware and banking trojans.

The researchers told The Register that they have observed over 40,000 infection attempts per week from this campaign (that is, at least 40,000 clicks on malicious adverts) and said the campaign was still active. They reckon the crims are getting a decent return on their ad spend so they can afford to outbid legitimate publishers.

Check Point claimed that the brain behind the campaign – whom it dubbed Master134 – redirected stolen traffic from over 10,000 hacked WordPress sites and sold it to AdsTerra, a real-time bidding ad platform. They wrote that AdsTerra then sold it via white-label ad-serving tech from AdKernel* and advert resellers (ExoClick, EvoLeads and AdventureFeeds) which then went on to sell it to the highest bidding "advertiser".

However, the security researchers claimed, these "advertisers" were actually criminals looking to distribute ransomware, banking trojans, bots and other malware. The infected adverts then appeared on the websites of thousands of publishers worldwide, instead of clean, legitimate ads.

The ads often contained malicious JavaScript code that exploits unpatched vulnerabilities in browsers or browser plug-ins, such as Adobe's Flash Player, so that the user gets infected by ransomware, keyloggers, and other types of malware simply by visiting a site hosting the malicious link. This is a well-known hacker tactic that dates back at least 10 years or more.

Check Point said the criminals made a laughing stock of the legitimate online advertising ecosystem. They even measured the return on investment of their ad spend by comparing it to the money they made from crypto-mining and ransoms.

The payment system in this scheme also laundered the proceeds, courtesy of the online advertising ecosystem, the researchers claimed.

Master134 and commander

What started out as the compromise of thousands of websites – all using WordPress v.4.7.1 and thus vulnerable to remote code execution attacks – took in multiple parties in the online advertising chain, and ended with the distribution of malware to web users globally, the researchers said.

They added that campaign revealed a partnership between a threat actor disguised as a publisher (dubbed "Master134") and several legitimate resellers.

The criminals behind the "malverts" can even target users according to whether or not they have unpatched operating systems or browsers, and even specific device types. Due to the simple lack of verification tech in the field, ad networks are simply not going to detect the malicious activity.

The exact content users see depends on who they are, where they are, what device they're using and other variables. This makes it incredibly difficult for both publishers and the ad industry to conclusively review every version of an advert for malicious content.

Check Point's research raises questions about the ad verification methods used in the online advertising industry in the malvertising ecosystem as a whole. Check Point suggested the companies were being "manipulated" in powering these attacks.

El Reg invited AdsTerra, AdKernel, AdventureFeeds and EvoLeads to comment. We'll update this story as and when we get a response. ®

Updated to add

* AdKernel has been in touch to say it is not an ad reseller but rather a white-label ad-serving tech firm. It told us: "[R]ooting out malware is critical to our organization and we offer our customers many tools and technologies to address these issues. Yet it is up to the individual customer to determine how they manage malware within their ad stream."

Sign up to our NewsletterGet IT in your inbox daily

27 Comments

More from The Register

Cash-machine-draining €1bn cybercrime kingpin suspect cuffed by plod

Bod accused of masterminding malware attacks on banks around the world

Brit police forces spend peanuts on cybercrime training

£1.3m over three years? Get with the times, plod

FBI fingers North Korea for two malware strains

'Joanap' and 'Brambul' harvest info about your systems and send it home

Microsoft emergency update: Malware Engine needs, erm, malware protection

Stop appreciating the irony and go install the patch now

Malware targeting cash machines fetches top dollar on dark web

Demand massively outstrips supply, researchers find

Advanced VPNFilter malware menacing routers worldwide

Cisco's Talos team says 500k already pwned and leaking data

Virus screener goes down, Intel patches more chips, Pegasus government spying code spreads across globe

Roundup Plus: Gov pay sites take a dive, and more

Who needs custom malware? 'Govt-backed' Gallmaker spy crew uses off-the-shelf wares

Likely state hackers make do with 'living off the land' and going after tardy Office patchers

Back to school soon – for script kiddies as well as normal kids. Hackers peddle cybercrime e-classes via Telegram

Bitcoin rather than student loan required for fraud classes

Silence! Cybercrime's Pinky and the Brain have nicked $800k off banks

One does dev, the other ops, and they're believed to be former white hats