A malicious actor essentially posing as a web publisher compromised more than 10,000 WordPress websites in an elaborate malvertising campaign involving various ad resellers and ad networks, according to a report.
Check Point Software Technologies, whose researchers discovered the scam, revealed in a July 30 blog post that the operation redirected users who visited the sabotaged websites to a malicious server, then to an advertising page, and finally to a Rig Exploit Kit page distributing trojans, ransomware and botnet malware.
Check Point suggests the malicious actor essentially posed as a web publisher, selling traffic he hijacked from legitimate websites to ad networks, which would then go on to sell that same traffic to ad reseller companies, whose "clients" appear to have been cybercriminals specializing in exploit kits.
All of the affected websites were prone to remote code execution, as they were running the vulnerable WordPress version 4.7.1, which dates back to Jan. 11, 2017 and has since been updated many times over. At least some of these sites were infected with a Potentially Unwanted Program (PUP) that altered their homepage to enable the redirection to the malicious server, the report explains.
The operator of the server, dubbed Master134 (named for first three numbers of his server's IP address), appears to be "a key player in the drive-by [attack] landscape," who was previously responsible for the HookAds and Seamless malvertising campaigns, as well as a tech support scam, Check Point reports.
Master134's remote server would redirect victims via a jquery.js request to an ad page, including one run by Adsterra, an ad network that has previously been leveraged in Magnitude Exploit Kit malvertising attacks, notes Check Point, citing a Malwarebytes report. Indeed, an examination of Master134's recent redirection history revealed a series of Adsterra domains linked to malicious sites and exploit kit pages, include hibids10[.]com -- the domain used in the campaign discovered by Check Point, which commenced on Apr. 4 and ended on June 20.
The Adsterra-run page would then redirect the users one more time to the Rig EK page, which apparently was set up by additional cybercriminals who bought Master134's traffic through resellers who do business with Adsterra.
"Based on our findings, we speculate that the threat actors pay Master134 directly. Master134 then pays the ad-network companies to re-route and perhaps even disguise the origins of the traffic," the blog post reads. "In such a scenario, Master134 plays a unique role in the cybercrime underworld; he is generating profit from ad revenue by working directly with AdsTerra and is successfully making sure this traffic reaches the right, or in our case, the wrong hands."
The Check Point blog post continues: "Although we would like to believe that the resellers that purchase Master134's ad space from Adsterra are acting in good faith, unaware of Master134's malicious intentions, an examination of the purchases from Adsterra showed that somehow, space offered by Master134 always ended up in the hands of cybercriminals, and thus enables the infection chain to be completed. In short, it seems threat actors seeking traffic for their campaigns simply buy ad space from Master134 via several ad-networks and, in turn, Master134 indirectly sells traffic/victims, to these campaigns via malvertising."
Check Point accuses Adsterra of being complicit as well, explaining that for the operation to succeed, "the ad network would need to turn a blind eye... This may be done by choice, in order to maximize the financial gain regardless of the damage caused to internet users, or it may be done unknowingly, due to the lack of ad-verification technology..."
Asked for a response, Adsterra sent SC Media the following response via email: "To begin with we would like to emphasize that we do not accept traffic from hacked/hijacked sites. All publishers' accounts that were mentioned in that article have been suspended. Malware ads are prohibited in Adsterra Network and we have a monitor system that checks all campaigns and stops all suspicious campaigns. However, the logs from the article demonstrate that those ads came from third-party networks, which are hard to control. Third-party ads served by other ad networks connected to our supply using RTB/XML protocols. We will contact the networks that were mentioned in that article and notify them of the problems discovered. We will thoroughly check the information from the article and update our compliance policies and monitoring software accordingly."
Check Point reports that at least four third-party resellers bid on ad space offered through the compromised websites via Master134 and AdsTerra. The researchers listed them as ExoClick, EvoLeads, AdventureFeeds and AdKernel.
However, in comments sent to SC Media, AdKernel said it is not actually a reseller, and also said Check Point's blog post had "serious factual errors." Indeed, on Aug. 1, Check Point revised its blog post, deleting references to AdKernel, after determining the company was not involved.
"Specifically, we are not now and have never been a reseller or ad network as the article suggests," AdKernel stated in its comments. "AdKernel is a leading white-label ad-serving technology company to ad networks and resellers. We provide ad-serving tools (including but not limited to RTB tools, analytics, optimization algorithms and much more) to hundreds of businesses around the world. The errors in this article are compounded since Check Point assumed Adkernel owns domains: Junnify.com and Bikinisgroup.com. We do not! They are owned by ad network clients of AdKernel. Another factual error."
"In the end, we actively work on rooting out malware and this is critical to our organization," AdKernel continues. "This is why we we offer our customers many tools and technologies to address these fraud issues, yet it is up to the individual customer to determine how they manage malware within their ad stream."
SC Media also reached out to EvoLeads and AdventureFeeds for comment. SC was unable to reach ExoClick because its website was deemed unsafe to visit by the news outlet's web security protections.