A malicious web redirect campaign affecting iPhone users has impacted more than 100 publisher websites, including online newspapers and international weekly news magazines.
According to the Media Trust’s Digital Security & Operations (DSO) team, iPhone users visiting any of the impacted websites were redirected in a recent malvertising campaign via a multistage process, to eventually land on a fraudulent popup masquerading as a grocery store reward ad. Along the way, the “Krampus-3PC” malware proceeded to harvest user session and cookie information from users, thus giving attackers the ability to log into users’ various online accounts.
Adding insult to injury, if visitors click on the grocery store ad, they are also redirected to a phishing page that prompted them to enter their personal information.
“The malware was able to retrieve not only whatever information users entered but also their phone numbers, which were later used for phishing texts, and cookie IDs,” explained DSO, in a report [PDF] issued on Wednesday. “The cookie ID enabled Krampus-3PC to hijack the browser, and – if the user had other sites like their bank or favorite online retailer open on their device – gain access to the user’s account. Access to a session cookie would enable the malvertiser to log in as that user at a later time.”
The attackers – who are of unknown origin, according to the Media Trust – first placed an ad to be distributed via the Adtechstack adtech provider. They then used the platform’s API to insert rogue code.
“Because they are running an ad on the platform, they have access to the platform’s tools. The platform takes the ad from the malicious advertiser, and the ad platform sold it to the publisher not knowing it was malicious,” Mike Bittner, director of digital security at the Media Trust, told Threatpost.
That ad purported to be for an international tech company and featured a well-known boy band, but in the background, Krampus-PC3 malware was hidden in the fake ad, Bittner explained. It first performed checks to make sure the user fell into the victimology parameters that the attackers were looking for (i.e., using an iPhone). Once all the checks were met, the user was redirected to fraudulent popups and the information harvesting began.
“[If the checks were positive], Krampus-3PC built and executed the payload URL — boostsea2[.]com – and sent user data to the command-and-control server,” the report explained. “This payload URL hijacked the browser, replacing the page address in order to redirect users to the phony reward popup. If the redirection failed, it used the backup method, loading the malicious URL onto another tab. The URL would continue to open and load onto a new tab the redirection succeeded.”
Online publishers and the adtech companies they work with typically use popular malware blockers to prevent these kinds of compromises; however, Krampus-3PC evaded conventional scanners and blockers via heavy obfuscation, according to the report.
The Media Trust declined to name the affected publishers.
Krampus, named after a figure in European folklore who visits homes during the Christmas season to punish misbehaving children, is a “smart” malware, according to Bittner.
“Given its level of sophistication, this malware was likely developed by a group rather than an individual,” he told Threatpost. “Using the adtech platform’s API and looking into the cascading style sheet commonly used by iPhones as one of several ways to identify the device are very novel techniques that are harder for threat experts to find, much less replicate.”
The adtech platform has blacklisted the advertiser and the “creative” (the ad itself).
Free Threatpost Webinar: Risk around third-party vendors is real and can lead to data disasters. We rely on third-party vendors, but that doesn’t mean forfeiting security. Join us on Dec. 18th at 2 pm EST as Threatpost looks at managing third-party relationship risks with industry experts Dr. Larry Ponemon, of Ponemon Institute; Harlan Carvey, with Digital Guardian and Flashpoint’s Lance James. Click here to register.