RoughTed: The anti ad-blocker malvertiser

[spaceoctopus]

RoughTed is a large malvertising operation that peaked in March 2017 but has been going on for at least well over a year. It is unique for its considerable scope ranging from scams to exploit kits, targeting a wide array of users via their operating system, browser, and geolocation to deliver the appropriate payload.

We estimate that the traffic via RoughTed related domains accumulated to over half a billion hits and was responsible for many successful compromises due to effective techniques that triage visitors and bypass ad-blockers.

The threat actors behind RoughTed have been leveraging the Amazon cloud infrastructure, in particular, its Content Delivery Network (CDN), while also blending in the noise with multiple ad redirections from several ad exchanges, making it more difficult to identify the source of their malvertising activity.

Highlights

• Traffic comes from thousands of publishers, some ranked in Alexa’s top 500 websites.
• RoughTed domains accumulated over half a billion visits in the past 3 months alone.
• Threat actors are leveraging fingerprinting and ad-blocker bypassing techniques upstream.
• RoughTed can deliver a variety of payloads for each platform: scams, exploit kits, and malware.

 

[spaceoctopus]

After reading the article, i start to understand why some of us were complaining that their ad-blocker was failing to block some ads recently.

 

[Arequire]

Oh joy. Now those ad blockers we adopted to defend us from malvertising are being bypassed.

 

[DJ Panda]

The solution I use. Only go on a very slim amount of sites and treat everything else as possibly harmful. Youtube, MalwareTips, and a couple things. Up to the user, but I have gotten away with not using an adblocker. Worried about hurting my favorite content creators.

 

[soccer97]

Oh joy. Now those ad blockers we adopted to defend us from malvertising are being bypassed.

I have noticed the most trouble with these with in-browser extensions such as AdBlockPlus and similar filters (add-ons, extensions). I haven't really had any major issues with Adguard, which is a 'system wide' ad-blocker. Even on sites such as Forbes requiring you to disable Ad-blockers. - which is IMHO one of the most annoying sites. I so just stopped never use them.

Just a nugget of knowledge. I think HTTPS scanning whether through drivers, AV or Ad-blocking tech may be the way of the future.

 

[Arequire]

I have noticed the most trouble with these with in-browser extensions such as AdBlockPlus and similar filters (add-ons, extensions). I haven't really had any major issues with Adguard, which is a 'system wide' ad-blocker. Even on sites such as Forbes requiring you to disable Ad-blockers. - which is IMHO one of the most annoying sites. I so just stopped never use them.

Neither Adguard's browser extension or its Windows application stopped this until it was brought to the developer's attention. Those who were fingerprinted and found to be running ad blocking software were served dialog pop-ups and clicking anywhere on the page resulted in their browser being hijacked and redirected.

I think HTTPS scanning whether through drivers, AV or Ad-blocking tech may be the way of the future.

I hope not. We've already seen plenty of evidence of AV companies poorly implementing their HTTPS scanning components and actively weakening and undermining the security of the encryption afforded by TLS/SSL. If AV companies (who's claim to fame is to increase the security of their users) can't keep up with the evolution of crypto' protocols and actively weaken that encryption via their garbage TLS proxies then I put absolutely zero faith in ad blocking companies not screwing it up even more.

 

[spaceoctopus]

Another thing is that often those ads and ad networks are not detected by antiviruses and security suites.Except a few,for example Emsisoft when you turn Privacy risks on. Even with that you need an adblocker.

 

[tryfon]

We can only hope adblockers can keep up with these attempts to bypass them.

 

[soccer97]

We can only hope adblockers can keep up with these attempts to bypass them.

I hear you guys. My assumptions was that an in browser add-in/extension may also increase the attack surface (maybe via fingerprinting) thus possibly making it easier for hackers to exploit vulnerabilities. This also includes the large amount of memory that AdBlockPlus uses. I am not pushing/promoting any vendor's software .

@Arequire Agreed in retrospect that HTTPS scanning has a long way to go to become more secure. It would be great if they all supported the latest version of TLS - but I believe that may be magical thinking at this point.

Thanks for your contributions - I learn something new each day.

Gotta get some sleep.