A sprawling malvertising campaign that leverages the AdsTerra legitimate online advertising company has been uncovered, involving at least 10,000 compromised websites and driving legions of web visitors around the world to exploit kits.
AdsTerra, one of the largest ad networks out there, essentially acts as a middle man, brokering deals between website publishers offering ad space and advertisers offering the highest bids for that online real estate. Often the winning advertising bidder for the space will resell that ad inventory to smaller advertisers, making for a multi-level economic model that a malvertising mastermind known as Master134 has been able to take advantage of.
Check Point researchers have found that Master134 has been posing as a legitimate website publisher on the AdsTerra online advertising network. To make its ad space attractive to advertisers, Master134 has ballooned its traffic by compromising 10,000 WordPress sites (all of them running the vulnerable 4.7.1 version of the software); thanks to that compromise campaign, visitors to those sites are redirected to Master134’s site.
Once victims reach Master134’s IP address, they’re in turn redirected to the ad pages that Master134 has sold via the AdsTerra platform using the artificially pumped up traffic.
The truly malicious part is that the ads are all redirecting site visitors to malware-download pages, which are distributing banking trojans, ransomware and bots on a drive-by basis. Check Point’s investigation revealed that legitimate resellers were bidding on ad space offered by the actor via AdsTerra, including ExoClick, EvoLeads and AdventureFeeds. Yet threat actors were purchasing the resold traffic.
“An examination of the purchases from AdsTerra showed that somehow, space offered by Master134 always ended up in the hands of cybercriminals, and thus enables the infection chain to be completed,” Check Point researchers explained, in a posting on Monday about the operation.
They added, “The list of redirection chains includes major players in the exploit kit landscape, along with some other malicious sites: Fobos, HookAds, Seamless, BowMan, TorchLie, BlackTDS and Slyip, all redirect to the Rig Exploit Kit. In addition, redirections to Magnitude Exploit Kit, GrandSoft Exploit Kit, FakeFlash and technical support scams can also be found in the list.”
Check Point also mentioned a fourth company that it identified as a reseller: AdKernel. The company however said that it had been misidentified; Check Point subsequently removed the reference from its posting upon further investigation.
“While the researchers did a great job discovering fraudulent and malvertising activities, they mistakenly mentioned AdKernel as an ad network or reseller, and made an erroneous statement that our company is involved in the activities of serving bad-actor advertisers,” AdKernel told Threatpost. “AdKernel is a leading white-label ad-serving technology company to ad networks and resellers. We provide ad-serving tools (including but not limited to RTB tools, analytics, optimization algorithms and much more) to hundreds of businesses around the world.”
Threatpost also reached out to Cyprus-based AdsTerra for more information on its verification process for advertisements and publishers. It told us that all publisher accounts that were mentioned in the research have now been suspended and that it plans to review its compliance policies and monitoring software based on Check Point’s findings.
“We would like to emphasize that we do not accept traffic from hacked/hijacked sites,” the company told us. “Malware ads are prohibited in AdsTerra Network and we have a monitor system that checks all campaigns and stops all suspicious campaigns.”
There’s a caveat however: “The logs from the article demonstrate that those ads came from third-party networks which are hard to control — third-party ads served by other ad networks connected to our supply using RTB/XML protocols. We will contact the networks that were mentioned in that article and notify them of the problems discovered.”
The discovery reveals an alarming subversion of the economy of the internet given that a tool with as large a reach as AdsTerra has been purchasing traffic from a known cybercriminal posing as an ordinary publisher, which obtains its traffic via malicious activities.
“Based on our findings, we speculate that the threat actors pay Master134 directly,” researchers explained. “Master134 then pays the ad-network companies to re-route and perhaps even disguise the origins of the traffic. In such a scenario, Master134 plays a unique role in the cybercrime underworld; he is generating profit from ad revenue by working directly with AdsTerra and is successfully making sure this traffic reaches the right, or in our case – the wrong hands.”
Master134 is a known player in the underground economy of cybercrime, according to researchers.
“Malicious campaigns dating back to 2016 have been traced to Master134’s IP address, and correspond with the timing of a previous malicious campaign linked to AdTerra,” Chris Olson, CEO of the Media Trust, said via email. “That year, Master134 redirected unsuspecting internet users from legitimate to malicious sites. These earlier campaigns seem to have paid off, and has enabled the miscreant to form a massive, highly organized operation with other known bad actors, as well as ad industry players who had previously looked away but now appear to be actively aiding and abetting traffic fraud.”
Unfortunately, lack of transparency in the digital supply chain combined with the millions of internet users at the receiving end of digital ads have turned traffic fraud into a lucrative multi-billion dollar business and, therefore, entice crime and corruption, he added.
“To combat traffic fraud, all digital players should police their digital partners and the code those partners execute in their digital ecosystem; ensure partners are adequately secure from malicious attacks; and continuously scan their digital ecosystems in real-time to identify and, when needed, terminate unauthorized code,” he noted.
This story was updated August 1, 2018 at 7:53 a.m., to reflect information and statements from AdsTerra and AdKernel.