Check Point Research uncovered an extensive malvertising campaign that has ties to legitimate online advertising companies.
Check Point’s report, titled “A Malvertising Campaign of Secrets and Lies,” detailed how a threat actor group used more than 10,000 compromised WordPress sites and multiple exploit kits to spread a variety of malware, including ransomware and banking Trojans. The group, which Check Point refers to as “Master134,” was responsible for a “well-planned” malvertising campaign that involved several online advertisement publishers, resellers and networks, including a company known as AdsTerra that Check Point claims was “powering the whole process.”
The technical aspects the Master134 campaign aren’t novel, according to Check Point. The threat actors used unpatched WordPress sites that were vulnerable to remote code execution attacks and then redirected traffic from those sites to pages run by ad networks, which in turn redirected users to a malicious domain that downloads malware to users’ systems.
Check Point researchers took a closer look at how traffic was directed to the malicious domains and found “an alarming partnership between a threat actor disguised as a publisher and several legitimate resellers.” According to the report, Master134 sells its traffic or “ad space” to the AdsTerra network, which then sells it to advertising resellers such as ExoClick, AdKernel, EvoLeads and AdventureFeeds.
The reseller then sells the Master134 traffic to their clients, but Check Point said its researchers discovered an odd pattern with the sales. “All the clients who bid on the traffic directed via AdsTerra, from Master134, happen to be threat actors, and among them some of the exploit kit land’s biggest players,” the report claimed.
Check Point Research speculated that threat actors operating these malicious domains and exploit kits pay Master134 for traffic or “victims,” which are supplied to them via a seemingly legitimate channel of ad networks. While the vendor didn’t accuse AdsTerra or the resellers of knowingly participating in the malvertising campaign, the report did say the ad networks would need to “turn a blind eye” for this scheme to be successful.
“[A]lthough we would like to believe that the resellers that purchase Master134’s ad space from AdsTerra are acting in good faith, unaware of Master134’s malicious intentions, an examination of the purchases from AdsTerra showed that somehow, space offered by Master134 always ended up in the hands of cyber criminals, and thus enables the infection chain to be completed,” the report stated.
SearchSecurity contacted AdsTerra, ExoClick, EvoLeads, AdventureFeeds and AdKernel for comment on the Check Point report.
AdKernel denied any involvement with the Master134 group or related threat actors. Judy Shapiro, chief strategy advisor, emailed a statement to SearchSecurity claiming the Check Point report is false and that AdKernel is an ad-serving technology provider, not an ad network or reseller. Shapiro also wrote that AdKernel did not own the malicious domains cited in the Check Point report, and that those domains were “owned by ad network clients of AdKernel.” The company, however, did not say who those clients were.
The other four companies had not responded at press time.
The Check Point Research report had strong words for the online advertising industry and its inability or unwillingness to prevent such malvertising campaigns from taking advantage of their networks.
“[W]hen legitimate online advertising companies are found at the heart of a scheme, connecting threat actors and enabling the distribution of malicious content worldwide, we can’t help but wonder — is the online advertising industry responsible for the public’s safety?” the report asked. “Indeed, how can we be certain that the advertisement we encounter while visiting legitimate websites are not meant to harm us?”