A mysterious hacker group has been taking over ad servers for the past nine months in order to insert malicious ads into their ad inventory, ads that redirect users to malware download sites.

This clever hacking campaign was discovered last month by cyber-security firm Confiant and appears to have been running for at least nine months, since August 2019.

Confiant says hackers have targeted advertising networks running old versions of the Revive open-source ad server. Hackers breach outdated Revive servers and silently append malicious code to existing ads.

Once the tainted ads load on legitimate sites, the malicious code hijacks and redirects site visitors to websites offering malware-laced files -- usually disguised as Adobe Flash Player updates.

Image: Confiant

Confiant says it identified around 60 Revive ad servers that have been compromised by this hacker group -- which the company has codenamed Tag Barnakle.

The company says the group has managed to load its malicious ads on thousands of sites, with the malicious ads being broadcast to other ad companies thanks to RTB (real-time bidding) integrations between services.

"If we take a look at the volumes behind just one of the compromised RTB ad servers - we see spikes of up to 1.25 [million] affected ad impressions in a single day," said Eliya Stein, a Senior Security Engineer at Confiant.

Tag Barnakle is not not norm for malvertisers



Stein says Tag Barnakle is a rare breed of malvertiser. Malvertising groups that hack ad servers haven't been seen operating at this scale since 2016.

For the past years, most malvertising groups have operated by a different strategy -- by creating networks of fake companies that buy ads on legitimate sites, which they later modify to load malicious code.

This tactic has been prevalent over the past few years because some shady ad networks are willing to turn a blind eye to malvertisers buying ads on their systems since both parties are making a profit. However, Tag Barnakle's modus operandi is not something that ad companies will be willing to put up.

"We have seen other malvertisers do this, but it's less widespread in general for several reasons," Stein told ZDNet in an email. "First of all, I believe there's a sense among the attackers that there's a legal gray area when it comes to malvertising, but once you compromise an ad server there is no question that you've broken the law in a big way."

"It's also a different focus altogether," Stein added. "I imagine not all malvertisers have the skillset and wherewithal to actually go out and hack ad serving infrastructure or accounts. Paying for a media buy [an ad slot] is the path of least resistance."

Attacks still ongoing



Stein tells ZDNet that Confiant has been spending the last few weeks notifying advertising companies that have been breached. However, not all advertising companies have yet to act on Confiant's warnings about Tag Barnakle so far.

"The campaign itself is ongoing among the ad servers that are still compromised," Stein told ZDNet.

"We have notified the owner of every single ad server about the breach, but not everyone has followed up with us. Some of the ad servers were impacted briefly, maybe just a matter of days before the ad server owner patched the breach. Others continue to be live to this day," he added.

"From our standpoint, we continue to block any ads on behalf of our customers that are being served from ad placements previously associated with the compromise."

Stein also said that Confiant will be publishing more reports on malvertisers hacking ad servers and their tactics going forward.