Threat actors have been abusing advertisement services to serve malware to users and redirect traffic to websites purchasing services from them. To bypass detection mechanisms developed by these websites to uncover malicious domains, threat actors utilize a technique called a “Redirect Chain” wherein the malicious domain is served in the last redirect instead of embedding it in the popup ad banner. Although the technique is simple, the sheer scale of it is alarming as the threat actors have managed to utilize a massive network of 9,000+ domains to do the same.
To shield against malicious advertisements on legitimate sites, install ad blockers and maintain updated software. Employ a comprehensive security suite, adjust browser settings, and be cautious of suspicious ads, verifying URLs before clicking. Stay informed about online threats, use click-to-play plugins, and consider a VPN for added privacy.
Abusing Advertisement Services
The utilization of advertisements as a conduit for malware delivery has proven to be an exceedingly lucrative strategy for threat actors. The inherent nature of online ads, which are pervasive across the internet, offers an expansive and unsuspecting user base as potential victims. Malicious actors exploit the trust users place in legitimate advertising platforms, capitalizing on the vast reach and frequency of ad displays to maximize their impact. By compromising ad networks or embedding malicious code within seemingly harmless ads, threat actors can deliver malware, ranging from trojans to ransomware, directly to users' devices. This approach provides a cost-effective means for attackers to deploy their malicious payloads without the need for elaborate distribution mechanisms. Either the threat actors create accounts on these advertisement platforms using forged documents. Or in some cases, source the credentials for accounts on various advertisement websites from infostealer malware.
“The whole ecosystem feeds on itself and it is a complete cycle as the same sourced accounts are used to deliver info stealer malware and compromise more users.”
Some of the popular advertisement services being abused by the threat actors are:
- Rich Ads
- Juicy Ads
Most advertisement services allow injecting domains along with the advertisement being shown which once clicked will redirect the user to that particular domain. However, injecting malicious domains into these ad banners can get the accounts being used by the threat actors blacklisted by advertisement platforms. Because most of them have mechanisms to stop malicious domains from being injected into the ad banners. To evade this, threat actors use a technique called a “Redirect Chain”.
The Redirect Chain
Once a user clicks on any of the advertisements being run by the threat actors they are taken to a domain that does not serve any kind of malware but merely redirects the user to the next domain. This is the first link in the chain and we may call it the “Fingerprinting Domain”.
The Fingerprinting Domain
This first domain runs scripts on the user’s browser and detects a variety of things such as whether the browser is running in an emulator, user device, region, etc. Based on this data and the type of ad banner clicked by the user it creates a unique profile for each user and assigns a parameter called ‘key’. This is unique for each user and this parameter is sent along with the get request to the next domain called the “Matcher Domain”.
The Matcher Domain
The “Matcher Domain” receives some parameters from the “Fingerprinting Domain” and based on that it decides which website to finally serve to the user. In the backend, it makes this decision based on factors such as the geolocation of the user, the preference of the user in clicking ads, etc. For instance, if someone clicks on a finance-related ad they are more likely to be redirected to crypto-related scam domains. The domain even detects if the request is being made via VPN or a Tor and then serves the user a fixed domain or redirects them to Google.
This is generally the malicious domain that either asks the users to download a particular software or to register on a betting website, or to enable notifications so that constant ads can be pushed by the user to the desktop. This domain is the last in the chain as
A sample redirect chain in action can be seen here: https://drive.google.com/file/d/1yeLJotDlZJviHKg-T_Gd06DSt5vEl8sk/view?usp=sharing
What is alarming about this method used by the threat actors it the sheer scale of their infrastructure. We were able to identify 10 IP addresses, on each of which 9000+ domains have been pointed in the past 30 days! However since the IPs are being rotated, the unique count is 9442 domains. In order to obtain such a large number of domain names, the threat actors either use some sort of automation or source hacked websites that are already offered on sale in bulk on various dark web forums.
Certain Autonomous System Numbers (ASNs) have gained notoriety for their association with phishing and malware-related activities. This reputation often stems from a variety of factors such as:
- One common issue is the presence of lax security measures within these ASNs, making them attractive targets for cybercriminals who exploit vulnerabilities and host malicious content. Additionally, some ASNs allow users to register services anonymously, providing a conducive environment for malicious actors to operate without easy identification.
- The concept of "bulletproof hosting" is prevalent, where specific ASNs or hosting providers intentionally overlook illegal activities, enabling the hosting of phishing sites and the distribution of malware.
- Compromised networks, whether due to inadequate security or compromised credentials, can unknowingly facilitate these malicious activities.
- Another contributing factor is the failure of some ASNs to promptly respond to abuse reports or take sufficient action against illicit activities on their networks. Rapid changes in ASN ownership or management may signal instability, creating an environment where phishing and malware attacks can thrive.
Some of the ASNs that we were able to identify associated with the campaign and have been reported for phishing, malware, etc. are as follows::
Upon deobfuscation we can see that in line 10 there exists a variable called ‘lieDetector’ which is assigned a value from various functions that fingerprint the user’s browser and the device.
Thereafter once the user is verified, based on the key the script can make an HTTP request to other domains in the same campaign, and in this manner the user goes through the redirect chain.
To protect yourself against the threat of malicious advertisements on legitimate sites, consider implementing the following mitigation strategies:
- Ad Blockers: Install reputable ad-blocking browser extensions or software to filter out potentially harmful advertisements. These tools can prevent malicious content from loading, reducing the risk of inadvertently clicking on a compromised ad.
- Keep Software Updated: Regularly update your operating system, web browsers, and security software. Software updates often include patches for vulnerabilities that threat actors may exploit to deliver malware through advertisements.
- Use a Security Suite: Employ a comprehensive security suite that includes features such as anti-malware, anti-phishing, and real-time threat detection. This can add an extra layer of defense against malicious advertisements.
- Browser Security Settings: Adjust your browser's security settings to their highest level. Configure settings to block pop-ups, disable automatic downloads, and enable browser-based security features that can help identify and block malicious content.
- Exercise Caution and Verification: Be skeptical of ads that seem too good to be true or employ sensationalist language. Avoid clicking on suspicious advertisements, and hover over links to preview the destination URL before clicking to verify its legitimacy.
- Educate Yourself: Stay informed about common online threats and tactics used by cybercriminals. Being aware of potential risks can empower you to recognize and avoid engaging with malicious advertisements.
- Enable Click-to-Play Plugins: Configure your browser to require permission before running plugins like Flash or Java. This way, potentially harmful content won't execute without your explicit consent.
- Use a Virtual Private Network (VPN): Employing a VPN can help mask your online activities and add an extra layer of privacy and security, reducing the risk of targeted malicious advertisements.
- Regular Backups: Regularly backup your important files to an external drive or secure cloud service. In the event of a malware infection, having up-to-date backups ensures that you can restore your system without losing critical data.
- Monitor Account Activity: Regularly review your financial and online accounts for any suspicious activity. Malicious ads may attempt to trick users into providing sensitive information, so staying vigilant is crucial for early detection and response.