Security News Advanced Malvertising Campaign Exploits Online Advertising Supply Chain

[silversurfer]

Content source

https://www.securityweek.com/advanced-malvertising-campaign-exploits-online-advertising-supply-chain

Malvertising Campaign Steals Traffic From 10,000 Hacked WordPress Sites and Exploits the Online Advertising Supply Chain

Malvertising is neither a new nor insignificant threat -- nor is there any easy solution to stop it. It is the abuse of the online advertising industry to deliver malware disguised as or hidden within seemingly innocuous advertisements.

Researchers at Check Point have discovered what they describe as the infrastructure and methods used in a large ‘malvertising’ and banking Trojan campaign, which delivers malicious adverts to millions worldwide through the HiBids online advertising platform.

The campaign starts with a threat actor that Check Point describes as 'Master134'. He sold stolen web traffic from 10,000 hacked WordPress sites to, say the researchers, "AdsTerra, the real time bidding (RTB) ad platform, who then sold it to Resellers (ExoClick, AdKernel, EvoLeads and AdventureFeeds)."

 

[upnorth]

Before explaining the details of this research, and for those who are not familiar with how the online advertising industry operates, for our purposes it is enough to understand that the industry is based on three main elements:
1) Advertisers who wish to promote their products or content.
2) Publishers who allocate space on their website and sell it to Advertisers.
3) Ad-Networks that bid to buy ad space and connect Advertisers to Publishers.

In addition to these parties are Resellers. These companies work with Ad-Networks to resell the traffic that Ad-Networks collect from Publishers on to other Advertisers.

Our discovery revealed an alarming partnership between a threat actor disguised as a Publisher and several legitimate Resellers that leverage this relationship to distribute a variety of malware including Banking Trojans, ransomware and bots. Furthermore, powering the whole process is a powerful and infamous Ad-Network called AdsTerra.

The following analysis reveals the full extent of this well-planned Malvertising operation and the manipulation of the entire online advertising supply chain. Our research also raises questions, as seen in our conclusion, about the collaboration involved in this campaign as well as proper verification of adverts in the online advertising industry as a whole. Furthermore, concerns from this discovery include the current role of Ad-Networks in the Malvertising ecosystem, who, as we shall see, are the companies powering these attacks.

...the party who owns the server belonging to IP address 134.249.116.78 (from now on referred to simply as ‘Master134’) is the funnel into the infection chain. However, the source of its traffic and target of his redirection still remained unclear.

Junnify.com points to the domain privacy service : domainsbyproxy.com that acts similar to WhoisGuard on Namecheap.com that protects Bikinisgroup.com so it's curious how the actual owners was found. The Master134 IP points to a Ukrainian mobile phone operator.

Anyone else noted that adKernels Twitter and Facebook pages has not been updated since 2014 and 2016 and Heilig Defense MinerOff warns about possible cryptocurrency mining on adKernels site?