Malvertising: The Illegal Form of Lying

H.G.Wells once said that advertising is merely a legalized form of lying. In the age of digital marketing, though, it seems that threat actors have taken the saying a step further and created an illegal form of lying out of the online advertising industry.


In an alarming discovery by Check Point Research, threat actors have found a new and complex way to abuse the digital infrastructure of the online advertising industry to spread malware to millions of internet users worldwide. This is widely known as ‘malvertising’ and, in this case, starts with the compromising of thousands of WordPress websites, involves multiple parties in the online advertising chain and ends with the distribution of malicious content to web users everywhere.


For those unfamiliar with how the online advertising industry operates, it’s important to understand that the industry is based on three main elements:


  • Advertisers who wish to promote their products or content.
  • Publishers who allocate space on their website and sell it to Advertisers.
  • Ad-Networks that bid to buy ad space and connect Advertisers to Publishers.


In addition to these parties are ‘Resellers’. These companies work with Ad-Networks to resell the traffic that Ad-Networks collect from Publishers on to other Advertisers.


The online advertising chain


The discovered malvertising campaign revealed a disturbing partnership between a threat actor disguised as a Publisher (dubbed ‘Master134’) and several legitimate Resellers that leverage this relationship to distribute a variety of malware including Banking Trojans, ransomware and bots. Powering the whole process was the powerful Ad-Network, AdsTerra. A full analysis of this well-planned malvertising operation can be found here.


In brief, the research revealed how Master134 redirected stolen traffic from over 10,000 hacked WordPress sites and sold it to AdsTerra, the real time bidding (RTB) ad platform, who then sold it to Resellers (ExoClick, EvoLeads and AdventureFeeds). These Resellers would then pass this traffic on to the highest bidding ‘Advertiser’. However, instead of the advertiser being a legitimate company selling actual products, these ‘advertisers’ were threat actors looking to distribute ransomware, Banking Trojans, Bots and other malware to Master134’s traffic.


In this way, cyber criminals are simply making a laughing stock of the online advertising ecosystem by leveraging the legitimate automated system integral to the ad networks and resellers’ bidding platforms to their advantage. They do this by bidding alongside legitimate advertisers, like Nike or Coca Cola, but placing higher bids in order to have the ad-networks select their malware laden ads to display on thousands of publishers’ websites rather than clean legitimate ads.

An artist’s illustration of how malvertisers win the bidding auction over legitimate advertisers.


In the example above, payment can also be made legitimately to ‘Bad Publishers’ such as Master134 via the ad-networks themselves too. In this way, the payment system in this cunning scheme is also whitewashed, courtesy of the online advertising ecosystem.


Furthermore, malvertisers (threat actors disguised as advertisers) can even measure the ROI of their ad-spend in relation to the income gained by infected users paying the ransom to unlock their files following the malvertiser’s ransomware campaign, or cash drained from victims’ accounts following a Banking Trojan campaign.


The malvertising operation orchestrated by Master134 and the threat actors bidding against legitimate advertisers.


Fatal Attraction Towards Malvertising


Of course, malvertising is not a new phenomenon. According to a report by eMarketer, the global digital media market’s total spend is expected to reach $357 Billion by 2020. It is not surprising that cyber criminals see the opportunities to manipulate the relationship between advertisers and publishers to cut out a slice of digital-ad-spend pie for themselves.


Over the past ten years, ads displayed on legitimate and often popular websites have emerged as a key way criminals infect unsuspecting computer users. In some cases, the ads contain malicious code that exploits unpatched vulnerabilities in browsers or browser plug-ins, such as Adobe’s Flash Player. Such ads have the ability to install ransomware, keyloggers, and other types of malware where users need do nothing more than simply visit a site hosting the malicious link.


As a direct consequence, the use of ad-blockers gained rapidly in popularity, with 22% of UK citizens now implementing them. But according to the Internet Advertising Bureau (IAB), this number has stalled due to publishers taking action to block site access to those with ad-blockers enabled.  So in February this year, Google took matters into its own hands and teamed up with the Coalition for Betters Ads to roll out an ad blocker on Google Chrome that now automatically strips ads from sites whose quality does not adhere to industry standards. However, Google’s adblocker concerns itself more with annoying and intrusive ads than malvertising and is not the solution to ending this highly profitable form of cyber crime.


Indeed, due to the nature of the online advertising ecosystem, that allows publishers to connect with advertisers through a complex system of intermediaries and exchanges, there are simply too many variables of ad targeting to enable either Google or ad-networks and their resellers to detect every malicious advert.


As mentioned earlier, advertisers use real time bidding platforms from resellers and ad-networks to bid in real time for the rights to display their ads to particular users, and those ads include custom JavaScript code that runs in the user’s browsers. The exact content users see depends on who they are, where they are, what kinds of devices they’re running and many other variables. This makes it incredibly difficult for both publishers and ad networks to conclusively review every version of an ad for malicious content.


From the advertiser’s perspective, or in this case ‘malvertisers’ (threat actors disguised as advertisers), users can even be targeted according to whether or not they have unpatched operating systems or browsers, and even specific device types. So, even if a high level scanning is done to ensure the creatives are clean, unless the exact combination of characteristics malvertisers are targeting is found, ad-networks are simply not going to detect the malicious activity.


Always Have a Backup Plan


Our research clearly raises questions about the proper ad verification methods used in the online advertising industry and the current role of ad-networks in the malvertising ecosystem as a whole. Indeed, as seen in this latest analysis, it seems these companies are at best being manipulated, and at worst complicit, in powering these attacks.


Unfortunately, no matter how much awareness there is amongst an organization’s employees, or home computer users for that matter, due to the passive nature of malware being delivered simply by loading onto a user’s screen via a malicious ad, it will never be enough.


Instead, as these attacks are targeted towards the end-point rather than the network, organizations need a multi-layered approach to their cyber security to stay fully protected not only from known threats, but also against unknown malware and zero-day threats, like malvertising.  Check Point’s SandBlast Zero-Day Protection and Mobile Threat Prevention, for example, protect against the widest range of continually evolving attack types, and also protect against zero-day malware variants.


To understand more about how zero-day threats can be prevented, please download our white paper.


Update: This blog post was updated on 8/1/18 following further investigation which determined that a previously named reseller was not involved.