Complex Malvertising Scheme Impacts Multiple Levels of Web Economy

A sprawling malvertising campaign that leverages the AdsTerra legitimate online advertising company has been uncovered, involving at least 10,000 compromised websites and driving legions of web visitors around the world to exploit kits.

AdsTerra, one of the largest ad networks out there, essentially acts as a middle man, brokering deals between website publishers offering ad space and advertisers offering the highest bids for that online real estate. Often the winning advertising bidder for the space will resell that ad inventory to smaller advertisers, making for a multi-level economic model that a malvertising mastermind known as Master134 has been able to take advantage of.

Check Point researchers have found that Master134 has been posing as a legitimate website publisher on the AdsTerra online advertising network. To make its ad space attractive to advertisers, Master134 has ballooned its traffic by compromising 10,000 WordPress sites (all of them running the vulnerable 4.7.1 version of the software); thanks to that compromise campaign, visitors to those sites are redirected to Master134’s site.

Once victims reach Master134’s IP address, they’re in turn redirected to the ad pages that Master134 has sold via the AdsTerra platform using the artificially pumped up traffic.

The truly malicious part is that the ads are all redirecting site visitors to malware download pages distributing banking trojans, ransomware and bots on a drive-by basis. Check Point’s investigation revealed that legitimate resellers were bidding on ad space offered by the actor via AdsTerra, including ExoClick, EvoLeads and AdventureFeeds. Yet threat actors are purchasing the resold traffic.

“An examination of the purchases from AdsTerra showed that somehow, space offered by Master134 always ended up in the hands of cybercriminals, and thus enables the infection chain to be completed,” Check Point researchers explained, in a posting on Monday about the operation.

They added, “The list of redirection chains includes major players in the exploit kit landscape, along with some other malicious sites: Fobos, HookAds, Seamless, BowMan, TorchLie, BlackTDS and Slyip, all redirect to the Rig Exploit Kit. In addition, redirections to Magnitude Exploit Kit, GrandSoft Exploit Kit, FakeFlash and technical support scams can also be found in the list.”

The fact that AdsTerra is seemingly unaware of the activity may be unintentional – or it may not be.

“This may be done by choice, in order to maximize the financial gain regardless of the damage caused to internet users, or it may be done unknowingly, due to the lack of ad-verification technology which provides inspection of advertisers before their content is published,” Check Point researchers explained.

Threatpost reached out to Cyprus-based AdsTerra for more information on its verification process for advertisements and publishers, but did not receive a response in time for publication.

Regardless of intent, the discovery reveals an alarming subversion of the economy of the internet given that a tool with as large a reach as AdsTerra has been purchasing traffic from a known cybercriminal posing as an ordinary publisher, which obtains its traffic via malicious activities.

“Based on our findings, we speculate that the threat actors pay Master134 directly,” researchers explained. “Master134 then pays the ad-network companies to re-route and perhaps even disguise the origins of the traffic. In such a scenario, Master134 plays a unique role in the cybercrime underworld; he is generating profit from ad revenue by working directly with AdsTerra and is successfully making sure this traffic reaches the right, or in our case – the wrong hands.”

Master134 is a known player in the underground economy of cybercrime, according to researchers.

“Malicious campaigns dating back to 2016 have been traced to Master134’s IP address, and correspond with the timing of a previous malicious campaign linked to AdTerra,” Chris Olson, CEO of the Media Trust, said via email. “That year, Master134 redirected unsuspecting internet users from legitimate to malicious sites. These earlier campaigns seem to have paid off, and has enabled the miscreant to form a massive, highly organized operation with other known bad actors, as well as ad industry players who had previously looked away but now appear to be actively aiding and abetting traffic fraud.”

Unfortunately, lack of transparency in the digital supply chain combined with the millions of internet users at the receiving end of digital ads have turned traffic fraud into a lucrative multi-billion dollar business and, therefore, entice crime and corruption, he added.

“To combat traffic fraud, all digital players should police their digital partners and the code those partners execute in their digital ecosystem; ensure partners are adequately secure from malicious attacks; and continuously scan their digital ecosystems in real-time to identify and, when needed, terminate unauthorized code,” he noted.