How hack on 10,000 WordPress sites was used to launch an epic malvertising campaign

Security researchers at Check Point have lifted the lid on the infrastructure and methods of an enormous "malvertising" and banking trojan campaign.

The operation delivered malicious adverts to millions worldwide, slinging all manner of nasties including crypto-miners, ransomware and banking trojans.

The researchers told The Register that they have observed over 40,000 infection attempts per week from this campaign (that is, at least 40,000 clicks on malicious adverts) and said the campaign was still active. They reckon the crims are getting a decent return on their ad spend so they can afford to outbid legitimate publishers.

Check Point claimed that the brain behind the campaign – whom it dubbed Master134 – redirected stolen traffic from over 10,000 hacked WordPress sites and sold it to AdsTerra, a real-time bidding ad platform. They wrote that AdsTerra then sold it via white-label ad-serving tech from AdKernel* and advert resellers (ExoClick, EvoLeads and AdventureFeeds) which then went on to sell it to the highest bidding "advertiser".

However, the security researchers claimed, these "advertisers" were actually criminals looking to distribute ransomware, banking trojans, bots and other malware. The infected adverts then appeared on the websites of thousands of publishers worldwide, instead of clean, legitimate ads.

The ads often contained malicious JavaScript code that exploits unpatched vulnerabilities in browsers or browser plug-ins, such as Adobe's Flash Player, so that the user gets infected by ransomware, keyloggers, and other types of malware simply by visiting a site hosting the malicious link. This is a well-known hacker tactic that dates back at least 10 years or more.

Check Point said the criminals made a laughing stock of the legitimate online advertising ecosystem. They even measured the return on investment of their ad spend by comparing it to the money they made from crypto-mining and ransoms.

The payment system in this scheme also laundered the proceeds, courtesy of the online advertising ecosystem, the researchers claimed.

Master134 and commander

What started out as the compromise of thousands of websites – all using WordPress v.4.7.1 and thus vulnerable to remote code execution attacks – took in multiple parties in the online advertising chain, and ended with the distribution of malware to web users globally, the researchers said.

They added that campaign revealed a partnership between a threat actor disguised as a publisher (dubbed "Master134") and several legitimate resellers.

The criminals behind the "malverts" can even target users according to whether or not they have unpatched operating systems or browsers, and even specific device types. Due to the simple lack of verification tech in the field, ad networks are simply not going to detect the malicious activity.

The exact content users see depends on who they are, where they are, what device they're using and other variables. This makes it incredibly difficult for both publishers and the ad industry to conclusively review every version of an advert for malicious content.

Check Point's research raises questions about the ad verification methods used in the online advertising industry in the malvertising ecosystem as a whole. Check Point suggested the companies were being "manipulated" in powering these attacks.

El Reg invited AdsTerra, AdKernel, AdventureFeeds and EvoLeads to comment. We'll update this story as and when we get a response. ®

Updated to add

* AdKernel has been in touch to say it is not an ad reseller but rather a white-label ad-serving tech firm. It told us: "[R]ooting out malware is critical to our organization and we offer our customers many tools and technologies to address these issues. Yet it is up to the individual customer to determine how they manage malware within their ad stream."