Widespread Malvertising Campaign Hijacks 300 Million Sessions

Researchers say the bad actor behind the malvertising campaign is still active.

A massive malvertising campaign targeting iOS devices hijacked a whopping 300 million browser sessions in just 48 hours.

Researchers at Confiant recorded the campaign Nov. 12, and said that the threat actor behind the campaign is still active to this day.

A malicious landing page

According to researchers, those behind the malvertising campaigns typically inject malicious code into legitimate online ads and webpages, so when victims click those pages, they are forcefully redirected to a malicious page. In this case, the ad unit forcefully redirects mobile users to adult content and gift card scams.

Those included “forceful redirection to fake ‘You’ve Won a Gift Card’ or adult content landing pages,” Confiant CTO Jerome Dangu said in an analysis of the campaign, published Monday.

In this specific case, when users visited a web page, the malicious ad would execute embedded obfuscated JavaScript. Victims were then redirected to an array of malicious landing pages, including happy.hipstarclub[dot]com or happy.luckstarclub[dot]com. These landing pages typically impersonated Google Play apps, making them appear more legitimate, researchers said.

The pages would typically then try to phish visitor data in order to commit affiliate marketing related fraud and or steal personal identification data, such as email, address, revenue information, purchase intent, and more, Dangu told Threatpost.

“The session is hijacked without user interaction,” Dangu said . “When a user is given the opportunity to win $1,000, there will be some people falling for it. And at the scale of the scheme, this is very profitable for the attacker.”

Malvertising campaigns are no rare occurrence. In July, for instance, the AdsTerra online advertising company was leveraged as part of a malvertising campaign that involved at least 10,000 compromised websites.

This recent campaign, which targeted primarily iOS users in the United States, stands out due to its scale, Dangu told Threatpost.

While Confiant blocked over 5 million hits, the company estimated the total amount of impressions served to publishers to be over 300 million impressions during the 48-hour period.

To put that into perspective, 2017’s largest malvertising campaign, launched by threat actor Zirconium, wracked up one billion impacted browser impressions – throughout an entire year.

Dangu said that almost 60 percent of Confiant’s customers were impacted by the campaign, and “if you were browsing your favorite websites with your iPhone on [the impacted dates], there’s a good chance you were exposed to it.”

Applying a conservative 0.1 percent conversion rate to the 300 million impacted browser sessions, that could amount to at least 300,000 victims, said Dangu.

“Each of these victims is worth multiple dollars to the attacker,” Dangu told Threatpost. “Since our telemetry indicates that the attacker spent about $200,000 to run the campaign, we believe the attacker raked in to the tone of $1 million in 2 days.”

While there are dozens of these malvertising groups, “this one stands out by the scale of the attack they were able to deploy,” Dangu told Threatpost. “Although we attribute continuous activity to this attacker since at least August, we don’t have any more visibility on who is behind this.”

What Dangu does know, he said, is that the bad actor has been active since August – but with much lower visibility to tier-1 publishers and using smaller exchanges.

Researchers observed the attacker targeting the US – but also running malvertising campaigns in other locations, like Australia and New Zealand.

The bad actor is still active, researchers said, and have simply been pivoting to different ad networks on an on-going basis.

“We expect they will continue to leverage programmatic advertising platforms to maintain their operations for the foreseeable future,” Dangu said.

Suggested articles

It’s Not the Trump Sex Tape, It’s a RAT

Criminals are using the end of the Trump presidency to deliver a new remote-access trojan (RAT) variant disguised as a sex video of the outgoing POTUS, researchers report.

biggest headlines 2020

The 5 Most-Wanted Threatpost Stories of 2020

A look back at what was hot with readers — offering a snapshot of the security stories that were most top-of-mind for security professionals and consumers throughout the year.