Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.



09:35 AM
Larry Loeb
Larry Loeb
Larry Loeb

Sophisticated Malvertising Campaign Involves 10,000 WordPress Sites

A CheckPoint study has uncovered a complex malvertising schemes that involves more than 10,000 WordPress-hosted sites, and an ecosystem of ad-networks and resellers.

Malvertising is a well-known and long-standing security problem for the web. Advertisements that have malicious purpose have afflicted any number of different web browsers for years after an attack.

However, the methods behind these campaigns are much more sophisticated than most realize.

A recent report by CheckPoint describes an entire ecosystem that monetizes the efforts behind these ads. As the researchers put it: "It starts with compromised WordPress websites, involves multiple parties in the online advertising chain and ends with distributing malicious content."

This all starts with the threat actor or actors that CheckPoint calls Master134, which is named after the command-and-control server at the heart of the scheme.

First, CheckPoint found over 10,000 WordPress CMS version 4.7.1 sites that were compromised through exploitation of a known remote code execution vulnerability. Ads -- or other malware -- were injected that redirected users to a controlled portal.

From here, it all gets interesting.

Master134 then masquerades as a publisher in the AdsTerra advertising network. These networks sell "ad slots" to other resellers that deal directly with the ad buyers.

Interestingly, CheckPoint found that AdsTerra, which based in Cyprus, had been previously involved in the Magnitude Exploit Kit infection chain.

AdsTerra will sell the slots to the highest bidder, such as ExoClick, AdKernel, EvoLeads and AdventureFeeds.

By some "coincidence," Master134's slots sold through these resellers all ended up hosting malware. Threat actors can offer high bids for the slots to the resellers -- when compared to other advertisers -- because their ill-gotten gains roll in fast.

Some of the malicious ads that have shown up in the slots include campaigns for Fobos, HookAds, Seamless, BowMan, TorchLie, BlackTDS and Slyip, which will redirect to the RIG Exploit Kit. (See RIG Exploit Kit Injects Code That Creates Monero Miner.)

In addition, redirections to Magnitude Exploit Kit, GrandSoft Exploit Kit, FakeFlash and technical support scams have been found by CheckPoint.

So it seems that threat actors seeking traffic for their campaigns simply buy ad space from Master134 through several ad-networks and, in turn, Master134 indirectly sells traffic and victims to these campaigns.

There is some form of a "plausible deniability" gained by everyone involved in the chain.

However, ClickPoint believes that the money flow works differently. Researchers suspect that Master134 gets paid from the threat actors and then launders it through the ad networks.

Zero in on the most attractive 5G NR deployment strategies, and take a look ahead to later technology developments and service innovations. Join us for the Deployment Strategies for 5G NR breakfast workshop in LA at MWCA on September 12. Register now to learn from and network with industry experts – communications service providers get in free!

As the research note describes:

Speculate that the threat actors pay Master134 directly. Master134 then pays the ad-network companies to re-route and perhaps even disguise the origins of the traffic. In such a scenario, Master134 plays a unique role in the cybercrime underworld; he is generating profit from ad revenue by working directly with AdsTerra and is successfully making sure this traffic reaches the right, or in our case -- the wrong hands.

What this shows is that threat actors are gaining sophistication in their operations. Besides obfuscating the exploit code, they are hiding the monetization process from prying eyes. They hope to use methods used by normal businesses to hide their crime.

Real-time ad buying is a very mechanized process. Ascertaining the use intent of an ad buyer is impossible right now, because humans never touch the process. That may have to change.

Related posts:

— Larry Loeb has written for many of the last century's major "dead tree" computer magazines, having been, among other things, a consulting editor for BYTE magazine and senior editor for the launch of WebWeek.

Comment  | 
Print  | 
More Insights
Newest First  |  Oldest First  |  Threaded View
COVID-19: Latest Security News & Commentary
Dark Reading Staff 7/6/2020
Another COVID-19 Side Effect: Rising Nation-State Cyber Activity
Stephen Ward, VP, ThreatConnect,  7/1/2020
Lessons from COVID-19 Cyberattacks: Where Do We Go Next?
Derek Manky, Chief of Security Insights and Global Threat Alliances, FortiGuard Labs,  7/2/2020
Register for Dark Reading Newsletters
White Papers
Current Issue
Special Report: Computing's New Normal, a Dark Reading Perspective
This special report examines how IT security organizations have adapted to the "new normal" of computing and what the long-term effects will be. Read it and get a unique set of perspectives on issues ranging from new threats & vulnerabilities as a result of remote working to how enterprise security strategy will be affected long term.
Flash Poll
The Threat from the Internetand What Your Organization Can Do About It
The Threat from the Internetand What Your Organization Can Do About It
This report describes some of the latest attacks and threats emanating from the Internet, as well as advice and tips on how your organization can mitigate those threats before they affect your business. Download it today!
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
PUBLISHED: 2020-07-07
An issue was discovered in CMSUno before 1.6.1. uno.php allows CSRF to change the admin password.
PUBLISHED: 2020-07-07
Victor CMS through 2019-02-28 allows XSS via the register.php user_firstname or user_lastname field.
PUBLISHED: 2020-07-07
A memory leak in Openthread's wpantund versions up to commit 0e5d1601febb869f583e944785e5685c6c747be7, when used in an environment where wpanctl is directly interfacing with the control driver (eg: debug environments) can allow an attacker to crash the service (DoS). We recommend updating, or to res...
PUBLISHED: 2020-07-07
Gossipsub 1.0 does not properly resist invalid message spam, such as an eclipse attack or a sybil attack.
PUBLISHED: 2020-07-07
A SQLi exists in the probe code of all Connectwise Automate versions before 2020.7 or 2019.12. A SQL Injection in the probe implementation to save data to a custom table exists due to inadequate server side validation. As the code creates dynamic SQL for the insert statement and utilizes the user su...