Recent malvertising campaigns were discovered by two security research firms, highlighting the threat of fake and legitimate—but poorly managed—advertising networks that infect victims by taking advantage of redirected web traffic.
One of the campaigns, disclosed by Malwarebytes, created fake advertising networks on a high-trafficked adult website that were registered via proxy. The campaign, dubbed HookAds, redirected targets to spoofed adult webpages in order to spread malware. These secondary decoy adult websites attempted to serve RIG and Neutrino EK exploit kits to inject payloads.
The campaign evaded detection through cloaking to detect whether a potential victim was a new visitor. The counterfeit networks directed intended victims to the malicious pornographic webpages, while other traffic such as researchers or honeypots were served banner ads that directed the visitors to other adult sites.
Malwarebytes Lead Malware Intelligence Analyst Jérôme Segura told SC Media the campaign began in mid-August or earlier. He said about one million visitors to adult websites were exposed to the malvertising campaign, although he said “we don't know that all were infected.”
The campaign appears to be linked to the TrickBot malware, Segura wrote in a Malwarebytes blog post.
Segura said he was surprised by the volume of domains that the attackers created for this campaign, rather than sub-domains, which are more common in malvertising attacks and easier to create. Most of the victims were from North America. Segura said he believes actors from Eastern Europe conducted the attacks.
A second campaign did not even require attackers to create fake advertising networks, but took advantage of the trend that advertising networks do not enforce their policies require display URLs to match the landing page URL.
The campaign, discovered by Cylance researchers, used Google AdWords to launch a malvertising campaign that targeted MacOS users. The advertisements targeted users who were looking to download a Google Chrome, but instead directed users to download a malicious installer, Cylance security researcher Jeff Tang wrote on a blog post.
He told SC Media that multiple parties that may be involved in the campaign. The attackers appear to be a small criminal group “in the order of ten” individuals, but the operation was positioned to achieve scale, as it owned many more domains that are not being used.