Campanha Malvertising RoughTed Derrotas Ad-Blockers
CYBER NEWS

Campanha Malvertising RoughTed Derrotas Ad-Blockers

RoughTed é uma campanha de publicidade maliciosa de grande escala que viu um pico em março deste ano, mas tem sido ativo por pelo menos mais de um ano. Ambos os sistemas operacionais Windows e Mac são direcionados, bem como iOS e Android. The operation is quite rare in its comprehensiveness, ter usado uma variedade de abordagens maliciosos de explorar kits para scams online, como golpes de apoio falso tecnologia, atualizações falsas, extensões do navegador desonestos, e assim por diante.

RoughTed has also been detected using geolocation to deliver relevant payloads to the exact victims. One of the recently deployed payloads is the infamous Cerber ransomware.

Story relacionado: CVE-2017-0022 Implantado em AdGholas Malvertising e Neutrino EK

RoughTed Malvertising Campaign in Detail

Jérôme Segura, researcher at Malwarebytes, estimated that the traffic sent via domains related to RoughTed accumulated more than half a billion hits. This traffic also led to many successful infections and this is no surprise as it was combined with highly effective methods that lure users and bypass ad-blockers.

Whoever is behind the malvertising campaign has also been leveraging the Amazon cloud infrastructure, especially its Content Delivery Network. This however is only a small part of the puzzle where ad redirections from various ad exchanges are mixed in to make deciphering the operation quite challenging.

Several factors in this operation stand out. Researchers were able to determine that the traffic comes from thousands of publishers, and some of them were even ranked in Alexa’s top 500 sites. Another fact that is worth mentioning is that the associated domains accumulated more than half a billion visits only in the past 3 meses.

Fingerprinting and tricks bypassing ad-blockers were also included in the malvertising campaigns. The worst, Contudo, is that RoughTed has helped deliver a number of malicious payloads on various platforms ranging from online scams to malware and ransomware.

Researchers observed RoughTed campaigns closely and noticed the roughted[.]com referrer, which was redirecting to the RIG exploit kit. While they were mining their data set, they started seeing that pattern for more than a hundred other domains.

Story relacionado: Golpes Suporte Técnico Guerra Um Bot contra o Windows já começou

Most of these domains were created via the EvoPlus registrar in small batches with a new .ru or .ua email address. Another similarity that these domains share is that they are being deployed as a mean to bypass ad-blockers.

Most of the traffic for the campaign comes from streaming video or file sharing sites in combination with URL shorteners which is a typical thing for malvertising.

Como foi referido anteriormente, many of the domains are ranked on Alexa’s top 1000. Visitors to these websites are targeted with ads some of which originate from RoughTed.

Sucure researchers, por outro lado, made another curious observation regarding the involvement of ‘personal’ websites in the malvertising campaign. Pelo visto, webmasters knowingly integrated an ad code script from advertising company Ad-Maven into their pages to monetize their website.


Mac Machines Also Targeted

Mac owners should also be aware of this malvertising campaign. A fake Flash Player update has been detected targeting Mac users, masqueraded as a file that comes from Apple. It’s needless to say but users should be extra cautious with updates that are “served” this way. Infelizmente, cybercriminals are very good at creating tricky pages and may as well use scareware tactics to improve the chance of a successful compromise.

The Windows operating system, por outro lado, has been targeted with fake updates for Java and Flash, and also with fake codecs. Pages tricking users into installing such fake updates are mixed with adware.

Story relacionado: Como detectar e remover Phishing (falsificação) Paginas web

Chrome Targeted with Rogue Browser Extensions

Even though Chrome is often referred to as one of the safest browsers, it has fallen victim to the RoughTed campaign. Users may even be forced to download malicious Chrome extensions. The pop-up leading to the download may contain a text like “Add extension to leave” or something of the sort.

além do que, além do mais, both iOS and Android appear to be targeted by the campaign.

Em poucas palavras, researchers say that it’s really troublesome, the fact that ad-supported content is deployed to distribute scams or malware. What is worse is that even users with ad-blockers are not spared and fall victims to the campaign. Who is responsible? Is it the ad networks or is it the publishers that deliberately expose users to malicious code in the interest of ad revenue.

Milena Dimitrova

Milena Dimitrova

Um escritor inspirado e gerenciador de conteúdo que foi com SensorsTechForum desde o início. Focada na privacidade do usuário e desenvolvimento de malware, ela acredita fortemente em um mundo onde a segurança cibernética desempenha um papel central. Se o senso comum não faz sentido, ela vai estar lá para tomar notas. Essas notas podem mais tarde se transformar em artigos! Siga Milena @Milenyim

mais Posts

Me siga:
Twitter

2 Comentários

  1. AvatarTerry Licia

    Do you find it odd that it all started in March? The March updates from MS? The ones that have screwed me out of about 500 hours of WORK TIME! Grrrr! Have run all kinds of programs from all kinds of services and can find nothing on my computer that is not supposed to be there, but nowadays, I’m really unsure of what’s supposed to be there anyway!!

    Reply
    1. AvatarVencislav Krustev

      Sim, Microsoft have a lot of work to do, regarding how they present updatesI have seen users who are unable to do anything not even save their work and just wait for the countdown timer to run out and their computer restarts, because the updates have been delayed for far too long and they have to be set up.. really gets on your nerves.. PS: this was on 8, i belive..

      Reply

Deixe um comentário

seu endereço de e-mail não será publicado. Campos obrigatórios são marcados *

limite de tempo está esgotado. Recarregue CAPTCHA.

Compartilhar no Facebook Compartilhar
Carregando...
Compartilhar no Twitter chilrear
Carregando...
Compartilhar no Google Plus Compartilhar
Carregando...
Partilhar no Linkedin Compartilhar
Carregando...
Compartilhar no Digg Compartilhar
Compartilhar no Reddit Compartilhar
Carregando...
Partilhar no StumbleUpon Compartilhar
Carregando...