Malvertising Campaign Hits Popular Websites

Imalvertisingn this modern era when we are heading towards online services, it becomes imperative to be careful. Else there might be possibilities that we end up being soft target of stalkers. One easily get attracted to several ads and offers on net while surfing website. It is also possible that one might get carried away and click on such ads. But wait, as it might be done for spreading malware. Yes, malvertising is quite rampant these days for spreading malware or malicious program using online advertising. This is all done with sole motive to target users using online platform for selling potentially unwanted as well as malicious products minting money for their infamous vendors. What is most alarming is the advent of cases where even some of the most reputed and high profile websites have been targeted for malvertising as such websites are not compromised as it does exploit vulnerabilities of the hosting server and only used as vector for spreading the malware to users who visit these unknowingly. Actually this has been used as a part of strategy to exploit vulnerabilities by making use of security loopholes. What is even more alarming as some of the popular websites viz MSN, AOL, The New York Times are on the verge for being targeted as it has been reported by SpiderLabs.

for more info: http://thehackernews.com/2016/03/what-is-malvertising.html

https://en.wikipedia.org/wiki/Malvertising

As soon as these malicious ads are clicked, users land up on unknown websites which are infected and work as vector for spreading malware in form of ransomware using Angler Exploit. This particular host is known for spreading harmful malware such as Bedep Trojan and TeslaCrypt Ransomware. Once infected there will be plethora of issues would result where files will be held hostage for demanding ransom. Here it is important to bring out certain reports for getting a clear picture how hackers have used malvertising strategy in the past. It has been found that hackers have used expired domain or domains that were used before by Brentsmedia. Now this was a popular Online Marketing Solution Brand prior to 2016.

The motive behind this was to use this domain for malvertising purpose. On clicking the ads which were already malvertized with JSON file aka Javascript Object Notation. Actually it triggered bearing the whole list of security products on the compromised system. If any of the product was found installed on the PC, the payload was not installed by malicious ads. This was done to escape detection by antivirus or any malware detection program. However, if those files were not found on the system, the malicious ads got instantly activated and the users were redirected to the malicious webpages. Not only this they were 2 other expired domains were registered apart form Brentsmedia for initiating this very purpose. Actually, some malicious codes are being injected in the ads that work to spread malware

Domain Name: TRACKMYTRAFFIC.BIZ
Creation Date: 2016-02-27
Sponsoring Registrar: PDR Ltd. d/b/a PublicDomainRegistry.com
Registrant Organization: PrivacyProtect.org
IP address: 104.28.18.116 (CloudFlare)
Domain Name: TALK915.PW
Creation Date: 2016-02-25
Sponsoring Registrar: PDR Ltd. d/b/a PublicDomainRegistry.com
Registrant Name: Rocko Mantas
Registrant Organization: Best Media ltd
IP address: 104.27.190.84 (CloudFlare)

source: https://blog.malwarebytes.org/threat-analysis/2016/03/large-angler-malvertising-campaign-hits-top-publishers/

 

Ad networks/platforms

Google:

  • www.trackmytraffic.biz/imp_track?zone=975

  • talk915.pw/track/k.track?wd=48&fid=2&rds=b1714032cd63652bc95fadf5dc81dadd88cafec4&aff=0.470974263806
    -> Referer: http://tpc.googlesyndication.com/safeframe/1-0-2/html/container.html

AppNexus:

  • www.trackmytraffic.biz/tracker?zone=145&camp=Tapika

  • talk915.pw/track/k.track?wd=48&fid=2&rds=b1714032cd63652bc95fadf5dc81dadd88cafec4&aff=0.0458697036987
    -> 
    Referer: http://lax1.ib.adnxs.com/{redacted}&referrer=http%3A%2F%2Fwww.nytimes.com{redacted}

AOL:

  • www.trackmytraffic.biz/imp_track?zone=6899&camp=Vemeo

  • talk915.pw/track/k.track?wd=48&fid=2&rds=b1714032cd63652bc95fadf5dc81dadd88cafec4&aff=0.22486335239
    -> 
    Referer: http://www.aol.com/_uac/adpage.html

Rubicon:

  • www.trackmytraffic.biz/imp_track?zone=6899&camp=Vemeo

  • talk915.pw/track/k.track?wd=48&fid=2&rds=b1714032cd63652bc95fadf5dc81dadd88cafec4&aff=0.515004501486
    ->
    Referer: http://optimized-by.rubiconproject.com/a/11648/36322/150620-15.html?&cb=0.49251904142839664&tk_st=1&rf=http%3A//my.xfinity.com{redacted}