Examining the role of ad networks in malvertising threats
Malvertising has been a persistent infosec threat for more than a decade. Over the years, threat actors have found a variety of ways to weaponize digital advertisements and deliver malware to unsuspecting users in both enterprise and consumer spaces. And some experts warn that malvertising threats are becoming increasingly complex -- and dangerous.
Last summer, Check Point Research revealed an extensive and unique malvertising campaign that it called "Master134." The campaign started with hijacked traffic from more than 10,000 infected WordPress sites and ended with some of the biggest exploit kits in the threat landscape, which delivered ransomware, banking Trojans and botnets. And in between the two ends of the spectrum, Check Point researchers discovered something unusual: a vast array of ad network platforms and redirection domains, through which the hijacked traffic was being bought and sold.
According to Check Point Research, a routine examination of exploit kit traffic revealed "an alarming partnership" between threat actors and legitimate online ad companies. These ad networks roundly denied they were knowingly involved the Master134 campaign and instead blamed rogue publisher clients for any malicious activity. One of the ad networks successfully lobbied to have its name removed from Check Point's report.
However, a months-long investigation by SearchSecurity revealed these ad networks had troubled histories, questionable practices and links to similar malvertising campaigns in the past. In addition, our investigation uncovered other ad networks connected to the Master134 campaign that were not named in Check Point's original report.
This six-part series explores the Master134 campaign and the role played by ad networks, who experts say turned a blind eye to malicious activity in order to make money. Read on to find out more about Master134 and how it reveals troubling trends for the online advertising industry and the future of malvertising threats.