Uncovering 2017’s Largest Malvertising Operation

The Zirconium group successfully created and operated 28 fake ad agencies to distribute malvertising campaigns through 2017, buying an estimate of 1 billion ad views throughout the year, and reaching 62% of ad-monetized websites on a weekly basis.

Forced redirects

Through 2016 and 2017, the prevalence of exploit kits in online advertising has decreased, as browsers became more secure. A few drivers explain this evolution:

The standardization of browser sandboxes (not only Chrome/Safari but now Firefox and Edge)

The decline of Adobe Flash as a vector for exploit kits, accelerated by the ban of Flash ads in Google Chrome from September 2015

The high profile demise of Angler Exploit Kit in June 2016

The rise of exploit detection and sophisticated telemetry that uncovers attacks in spite of evasion

As a consequence, many malvertising campaigns moved to “forced redirects” as the second best attack vector. A forced redirect is when a person is surfing the web on a computer or mobile device and through no action of their own gets redirected to a different website. Usually the website they are redirected to is a vehicle for some form of affiliate fraud or malware.

Although forced redirects require social engineering (tricking users into falling for a scam or infecting their computer), they can durably stay under the radar by avoiding to trigger in situations that may correspond to security investigations.

Execution and chain of redirection

Fig. 1: Redirection flow

Beginads was only briefly used to establish relationships with ad platforms as a fake ad agency. Confiant observed it as a stand-alone ad server in March 2017, but it later became the domain that acts as the TDS (Traffic Direction System) on behalf of all the campaigns running on all the fake agencies’ ad servers.

Zirconium established a well thought-out organization to maximize both Supply (user traffic) and Demand (landing pages).

Supply is brought in by the fake agencies, establishing relationships with legitimate ad platforms, and buying traffic. Having multiple relationships makes the operation more robust (in case an agency gets caught) and stealthier — as each agency poses as a long-tail small business agency and buys small amounts at a time.

Aggregating Demand is the other key component to Zirconium’s business model. Confiant established that Zirconium does not operate these landing pages on their own. Instead, they resell the traffic to affiliate marketing platforms.

Maintaining those relationships at the agency level would have been cumbersome and inefficient. Beginads.com became the central gateway to manage the demand. Just like a legitimate advertising operation, this requires constant optimization and testing to yield the most revenue. Beginads.com became the centralized place were Zirconium could rationalize its revenue.

MyAdsBro, the not-fake ad network by Zirconium

Confiant found yet another level of redirection between Beginads / Horizon-media and the affiliate networks, going by the name “MyAdsBro” and operated by Zirconium.

Essentially, Zirconium’s own campaigns run via MyAdsBro but anyone can also push traffic to it and leave a revenue commission to them. MyAdsBro claims to pay out in crypto-currencies.

Going as far as to build a black-hat affiliate network shows the level of sophistication that they reached in their operations.