Malvertising campaigns are something criminal groups can keep in-house or pull off by paying outsiders. The service-based cyber-crime model is well-greased and allows for bad guys to pay niche experts for encryption, stolen traffic, and so on.
Independent French malware researcher Kafeine (@kafeine) points out operators on underground forums who are selling stolen traffic relating to malvertising with prices ranging from US$4000 for 100,000 multi-geographic hits (known in the marketplace as 'loads') to US$70 for 1000. By country, GrandClix sold United States traffic for the highest buck with US$500 for 1000 hits, and Australia and the United Kingdom attracting US$450 for the same amount.
Some groups do not need to outsource. "Depending on the individual case, some groups are almost owning the whole chain," Kaffeine says. "From the malvertising to the command and control of the malware loaded onto victims - they just rent the exploit kit slot."
Cisco's Schultz points out much the same, illustrating in March how one group had a "business relationship" with malvertising redirectors who offered the necessary traffic for the criminals to foist and fund their pay-per-install malware.
Both Kafeine, a skilled anti-cyber crime boffin, and Patrick Belcher (@BelchSpeak), senior researcher for security firm Invincea, say a single actor, judging by its tools, tactics, and procedures, is behind the recent major malvertising attacks against Yahoo! and big news sites.
That actor known as Fessleak has popped Yahoo! News, Huffington Post, and AOL among dozens of others serving the Kovter malware and using various exploit kits. The Invincea man says the actor is a "lone wolf" focused mainly on bedep click-fraud or advertising fraud bots. "He buys ads for three bucks from an ad company and then defrauds them out of $1000s from ad fraud," he says.
Another group Belcher has yet to reveal is a Russian outfit called ISGroup and so dedicated it created an entire fake company website dedicated to solar energy to deliver a single convincing malvertisement which foists the Rovnix rootkit.
Google was one of the advertising companies that facilitated that attack. "The whole reason for the front company was to sneak past the vetters (ad networks)," he says.
Experts agree the sophistication of the attacks and the channels that allow criminals to pull it off are set to improve to take advantage of the huge profits on offer. For some $6000 of investment, the Mad Hatter found criminals can inflict more than US$500,000 in damages.