“Master134” believed to be behind numerous other scams

UPDATED 31st August 2018 17.53 with comment from AdsTerra, AdKernel

Researchers at Tel Aviv-headquartered cybersecurity vendor Check Point have identified a new malicious campaign that piggybacks on the infrastructure of high profile online advertising companies to spread a wide range of malware.

The so-called “malvertising” campaign, overseen by a cybercriminal dubbed “Master134”, redirects traffic from over 10,000 hacked WordPress websites and sells it to well known real-time bidding (RTB) ad platform AdsTerra.

AdsTerra then resells the traffic to several other companies – in this case, ExoClick, AdKernel, EvoLeads, AdventureFeeds – who sell this traffic to their clients. Criminal advertising buyers, in turn, use clicks on corrupted ads to to spread a wide range of malware, including banking trojans.

Check Point said: “An examination of the purchases from AdsTerra showed that somehow, space offered by Master134 always ended up in the hands of cyber criminals, and thus enables the infection chain to be completed.”

Check Point has observed over 40,000 infection attempts per week (i.e. at least 40,000 clicks on malicious adverts weekly) and the campaign is still active.

AdsTerra told Computer Business Review in an emailed statement: “All publishers accounts that were mentioned in that article have been suspended. Malware ads are prohibited in Adsterra Network and we have a monitor system that checks all campaigns and stops all suspicious campaigns. However the logs from the article demonstrate that those ads came from third-party networks which are hard to control.”

The company, which sent an unsigned email, added: “3rd party ads served by other ad networks connected to our supply using RTB/XML protocols. We will contact the networks that were mentioned in that article and notify them of the problems discovered.”

AdsTerra added that it was updating its compliance policies and monitoring software.

Updated: AdKernel told Computer Business Review it is not an ad reseller but rather a “white-label ad-serving tech firm”, emphasising that two domains named by Check Point in its report are not owned by AdKernal, but its ad network clients.

It added: “Rooting out malware is critical to our organization and we offer our customers many tools and technologies to address these issues. Yet it is up to the individual customer to determine how they manage malware within their ad stream.”

How Does the Malware Advertising Process Work?

As Check Point’s team – who linked “Master134” to numerous other scams – put it: “We wouldn’t expect that a threat actor, such as the ones involved in the process, would be able to retain the advertising services of an Ad-Network company.

“Based on our findings, we speculate that the threat actors pay Master134 directly. Master134 then pays the ad-network companies… In such a scenario, Master134 plays a unique role in the cybercrime underworld; he is generating profit from ad revenue by working directly with AdsTerra and is successfully making sure this traffic reaches the right, or in our case – the wrong hands.”

What’s the Solution?

Asked by Computer Business Review what ad networks and resellers can do, a Check Point spokesman said: “Due to the really fast nature of the transactions, and the sheer volume of advertisements, we believe that there is no real-time monitoring by humans.”

They added: “The advert resellers need to know that their customers are ‘bad guys’, but most of them preform no vetting of customers on their part. Ideally, we would like to see ad-networks do more in order to eliminate malicious advertisements.”

“As this malvertising campaign is all over the web, an effective approach for organizations to protect their networks is multi-layer protection – consisting of IPS on the network to prevent malicious redirections and remote code execution, but also sandboxing on employee endpoints to block zero-day attacks.”

Malvertising Proliferates

Malvertising is proliferating, muddying the waters of an already opaque online advertising environment.

Last month Bitdefender, for example, identified an “extremely sophisticated piece of rootkit-based spyware” that has been running covertly since early 2012.

The malware, “Zacinlo”, infects users’ computers and either opens invisible browser instances to load advertising banners in it, then simulates clicks from the user, or it replaces ads loaded naturally inside the browser with the attacker’s ads in order to collect the advertising revenue.

As Computer Business Review reported last month, the FBI is reported to be investigating media trading practices in the US advertising industry amid concerns about a lack of transparency and potential money laundering.