Security

How hack on 10,000 WordPress sites was used to launch an epic malvertising campaign

Crooks exploited legit web ad ecosystem – researchers


Security researchers at Check Point have lifted the lid on the infrastructure and methods of an enormous "malvertising" and banking trojan campaign.

The operation delivered malicious adverts to millions worldwide, slinging all manner of nasties including crypto-miners, ransomware and banking trojans.

The researchers told The Register that they have observed over 40,000 infection attempts per week from this campaign (that is, at least 40,000 clicks on malicious adverts) and said the campaign was still active. They reckon the crims are getting a decent return on their ad spend so they can afford to outbid legitimate publishers.

Check Point claimed that the brain behind the campaign – whom it dubbed Master134 – redirected stolen traffic from over 10,000 hacked WordPress sites and sold it to AdsTerra, a real-time bidding ad platform. They wrote that AdsTerra then sold it via white-label ad-serving tech from AdKernel* and advert resellers (ExoClick, EvoLeads and AdventureFeeds) which then went on to sell it to the highest bidding "advertiser".

However, the security researchers claimed, these "advertisers" were actually criminals looking to distribute ransomware, banking trojans, bots and other malware. The infected adverts then appeared on the websites of thousands of publishers worldwide, instead of clean, legitimate ads.

The ads often contained malicious JavaScript code that exploits unpatched vulnerabilities in browsers or browser plug-ins, such as Adobe's Flash Player, so that the user gets infected by ransomware, keyloggers, and other types of malware simply by visiting a site hosting the malicious link. This is a well-known hacker tactic that dates back at least 10 years or more.

Check Point said the criminals made a laughing stock of the legitimate online advertising ecosystem. They even measured the return on investment of their ad spend by comparing it to the money they made from crypto-mining and ransoms.

The payment system in this scheme also laundered the proceeds, courtesy of the online advertising ecosystem, the researchers claimed.

Master134 and commander

What started out as the compromise of thousands of websites – all using WordPress v.4.7.1 and thus vulnerable to remote code execution attacks – took in multiple parties in the online advertising chain, and ended with the distribution of malware to web users globally, the researchers said.

They added that campaign revealed a partnership between a threat actor disguised as a publisher (dubbed "Master134") and several legitimate resellers.

The criminals behind the "malverts" can even target users according to whether or not they have unpatched operating systems or browsers, and even specific device types. Due to the simple lack of verification tech in the field, ad networks are simply not going to detect the malicious activity.

The exact content users see depends on who they are, where they are, what device they're using and other variables. This makes it incredibly difficult for both publishers and the ad industry to conclusively review every version of an advert for malicious content.

Check Point's research raises questions about the ad verification methods used in the online advertising industry in the malvertising ecosystem as a whole. Check Point suggested the companies were being "manipulated" in powering these attacks.

El Reg invited AdsTerra, AdKernel, AdventureFeeds and EvoLeads to comment. We'll update this story as and when we get a response. ®

Updated to add

* AdKernel has been in touch to say it is not an ad reseller but rather a white-label ad-serving tech firm. It told us: "[R]ooting out malware is critical to our organization and we offer our customers many tools and technologies to address these issues. Yet it is up to the individual customer to determine how they manage malware within their ad stream."

Send us news
27 Comments

Cops cuff 22-year-old Brit suspected of being Scattered Spider leader

Spanish plod make arrest at airport before he jetted off to Italy

Russia's cyber spies still threatening French national security, democracy

Publishing right before a major election is apparently just a coincidence

Amtrak confirms crooks are breaking into accounts using creds swiped from other DBs

Railco goes full steam ahead with notification letters to Rewards users about spilled card details and more

Qilin: We knew our Synnovis attack would cause a healthcare crisis at London hospitals

Cybercriminals claim they used a zero-day to breach pathology provider’s systems

Crypto exchange Kraken accuses blockchain security outfit CertiK of extortion

Researchers allegedly stole $3M using the vulnerability, then asked how much it was really worth

That PowerShell 'fix' for your root cert 'problem' is a malware loader in disguise

Control-C, Control-V, Enter ... Hell

Rogue uni IT director pleads guilty after fraudulently buying $2.1M of tech

Two decades in the clink would be quite an education

Uncle Sam ends financial support to orgs hurt by Change Healthcare attack

Billions of dollars made available but worst appears to be over

NHS boss says Scottish trust wouldn't give cyberattackers what they wanted

CEO of Dumfries and Galloway admits circa 150K people should assume their details leaked

Suspected bosses of $430M dark-web Empire Market charged in US

Cybercrime super-souk's Dopenugget and Zero Angel may face life behind bars if convicted

Blackbaud has to cough up a few million dollars more over 2020 ransomware attack

Four years on and it's still paying for what California attorney general calls 'unacceptable' practice

That didn't take long: Replacement for SORBS spam blacklist arises ... sort of

Also: Online adoption cyberstalker nabbed; Tesla trade secrets thief pleads guilty; and a critical ASUS Wi-Fi vuln