These malicious ads redirect unsuspecting users to sites ridden with malware typically masqueraded as Adobe Flash Player updates. The campaign which has been going on for at least nine months was discovered by researchers at Confiant.
Confiant says that the campaign is ongoing, and that it is perpetrated by attackers using mass compromise of Revive Ad Server instances. At least 60 servers have been affected. After the initial compromise, the attackers are appending their malicious payload to existing ad slots resulting in free access to publisher inventory. The researchers have dubbed the threat actors Tag Barnakle.
Apparently, Tag Barnakle hackers have managed to load their malicious ads on thousands of sites. Furthermore, the malicious ads are then being broadcast to other ad companies thanks to a feature called RTB, or real-time bidding integrations.
“If we take a look at the volumes behind just one of the compromised RTB ad servers – we see spikes of up to 1.25 [million] affected ad impressions in a single day,” Confiant researchers say.
Tag Barnakle Malvertising: A Rare Case
Hacking entire ad servers hasn’t been registered for several years. The last such case took place in 2016. Recent malvertising examples showcase another type of behavior – where malvertisers create networks of bogus companies that buy ads on legitimate sites. These ads are later modified to load malicious code, a tactic seen in most malvertising campaigns recently.
This approach is possible because some ad networks allow malvertisers to buy ads on their systems. The reason is obvious – profit for both involved parties. What sets aside Tag Barnakle from other malvertisers is the scale of their campaigns, as this approach is less widespread for a number of reasons.
Compromising an ad server breaks the law at every level, and most malvertising groups are careful and avoid this behavior. This approach also requires a specific set of knowledge and skills that not all malvertisers have.
Confiant researchers observed another large-scale malvertising campaign in March 2019, when approximately 1 million user sessions were potentially exposed. The payload of the malvertising campaign was the Shlayer Trojan.