Large Malvertising Campaign Goes (Almost) Undetected

Status
Not open for further replies.
Kumaran

Kumaran

Level 4
Thread author
Verified
Well-known
Dec 15, 2013
150
Content source
https://blog.malwarebytes.org/malvertising-2/2015/09/large-malvertising-campaign-goes-almost-undetected/
banner3-753x395.png

In mid August, the actors behind some of the recent malvertising campaigns we documented on this blog before started to come out with several new tricks to fly under the radar and yet expose tens of millions of users to malware.

Without a doubt, the increased scrutiny on malvertising and ad networks has forced malicious actors to revise how they go about their business, a critical part in driving victims to exploit kits for the purpose of compromising their systems.

The malvertising campaign we are exposing leveraged several top ad networks, as well as many more smaller ones. Despite its large scope and impact, it ran mostly uninterrupted for almost three weeks, according to telemetry data we were able to mine once we uncovered the scheme.

The threat actors responsible for this attack devised a cunning plan to pose as legitimate advertisers and employed stealthy and advanced techniques to hide malicious traffic redirections so well that they evaded most detection systems.

The ultimate goal of this plan was to compromise the computers of millions of users browsing popular websites by covertly redirecting their browsers to the Angler Exploit Kit, the most advanced tool used in drive-by download attacks.

Bogus (but clean) adverts

Malicious actors registered to various ad platforms posing as legitimate advertisers and submitted their creatives (shown below) through Real Time Bidding.

The companies they were purporting to represent appeared legitimate on the surface, with websites registered years ago with even some listed in the Better Business Bureau registry. This decoy worked well enough to fool many ad networks with direct ties to the major ones in the online ad industry.

The ads themselves were loaded directly from the rogue advertisers’ websites, which, as we will see it later, was part of the problem in compromising the advertising chain. However it is worth mentioning that the ads themselves were not booby trapped at all, which again made it more difficult to spot something suspicious.

Read more
 
  • Like
Reactions: frogboy
Status
Not open for further replies.

Similar threads

Gandalf_The_Grey
    • Wow
    • Like
    • +Reputation
Security News SubdoMailing campaign spams 5 million emails daily via 8k hijacked domains
Replies
0
Views
1,291
Security News
Gandalf_The_Grey
Gandalf_The_Grey
Ink
    • Like
    • Wow
Google-hosted Malvertising; Clever punycode tricks experts to visit fake Keepass site
Replies
0
Views
755
News Archive
Ink
Ink
[correlate]
    • Like
    • +Reputation
Mac Users Beware: Malvertising Campaign Spreads Atomic Stealer macOS Malware
Replies
0
Views
1,352
News Archive
[correlate]
[correlate]

About us

  • MalwareTips is a community-driven platform providing the latest information and resources on malware and cyber threats. Our team of experienced professionals and passionate volunteers work to keep the internet safe and secure. We provide accurate, up-to-date information and strive to build a strong and supportive community dedicated to cybersecurity.

Quick Navigation

Forum Rules Warning System Welcome Guide Two-factor Authentication

User Menu

Login

Follow us

Follow us on Facebook or Twitter to know first about the latest cybersecurity incidents and malware threats.

Top