santiago silver - Fotolia
Two digital advertising networks that were previously implicated in extensive malvertising campaigns are apparently at it again.
Adsterra and Propeller Ads, both headquartered in Cyprus, were most notably connected to the Master134 malvertising campaign, which was uncovered by researchers at Check Point Software Technologies in 2018.
While Adsterra denied any direct involvement in the campaign, Check Point researchers said the ad network was purchasing traffic from a known cybercriminal and either knew the activity was malicious or chose to ignore the warning signs.
Propeller Ads was not named in Check Point's Master134 report, but SearchSecurity discovered a domain that redirected hijacked traffic from more than 10,000 WordPress websites belonged to the ad network. A Propeller Ads spokesperson said the company was unaware of the malicious activity.
Both ad networks have staunchly denied any direct involvement in malvertising campaigns and, despite making money off such activity, they claim that cybercriminals abuse their platforms without their knowledge. But Adsterra and Propeller Ads were once again embroiled in recent malicious activity.
SearchSecurity received an anonymous tip about malicious activity on PEdump.me, a malware analyzer tool for Windows Portable Executable (PE) files. According to the source, who forwarded a GitHub issue post for PEdump, malicious ads were running on the file scanner that issued forced redirections to technical support scams (which were also destinations in the Master134 campaign) and fake antivirus scanners, as well as other objectionable content such as fake news sites and pornography.
One of the commenters on the GitHub post analyzed the malicious ads and discovered they were coming from ad serving domains owned by Adsterra: highprofitnetworks[.]com, madcpms[.]com and ampugi334f[.]com. SearchSecurity contacted the proprietor of PEdump, who goes by "Zed 0xff" and who confirmed they had created an account with Adsterra months earlier in order to generate some revenue to pay for the site's hosting costs.
Zed 0xff said they were unaware of Adsterra's history and chose the company as an advertising partner because PEdump had been rejected by Google Ads. They also said they did not personally see any malicious ads on PEdump and that those ads were likely geotargeted to specific regions or countries. Several of the ads included in the GitHub post were in Dutch, and Zed 0xff said they also received complaints about malicious ads from users in the U.S.
Open source threat intelligence services show two of Adsterra's domains are associated with IP addresses in the Netherlands that have been flagged for malicious activity by the Abuse IP Database. In addition, the domains themselves are still connecting to several suspicious domains, including apparent phishing and tech support scams as well as a coronavirus-themed URLs.
Adsterra did not respond to requests for comment.
UPDATE: After the publication of this article, Adsterra sent SearchSecurity the following statement from Gala Grigoreva, chief marketing officer at Adsterra:
"We haven't received any direct complaints from the PEdump.me owner or the website audience, so we are going to connect with him to investigate the case individually. Our platform is open to everyone willing to monetize traffic or run ad campaigns. We automatically scan the feed using specialized software and manually with the monitoring department's help. After the Master134 case, we have enhanced our multi-stage security system, but we understand that scammers are becoming more skilled. Adsterra has been on the market since 2013, trusted by thousands of private and corporate clients. It is our top priority to ensure a safe service by continually upgrading the security system."
'Tag Barnakle' campaign
In April, ad security vendor Confiant published research on a new malvertising campaign, dubbed "Tag Barnakle," that involved Propeller Ads. Eliya Stein, senior security engineer at Confiant, discovered a threat actor that had taken a different approach for their malvertising scheme; instead of posing as a legitimate publisher and spending money to run malicious ads, the threat actor compromised vulnerable ad servers running Revive, an open source program for digital advertising.
According to Stein's report, Tag Barnakle successfully compromised approximately 60 ad servers, used by various enterprises and ad firms, and loaded malicious payloads directly into the ads. In April, Confiant observed malicious ads on 360 web properties, but Stein said given the reach of the ad servers, Tag Barknakle impacted "tens of thousands of sites."
But Stein said compromised ad servers were only the beginning of the Tag Barnakle campaign; after potential victims were identified by the malicious code on the servers, the victims were redirected to a series of "cloaking" domains controlled by the threat actors, and then redirected once again to the final stage of the attack on a domain called deloplen[.]com, which is owned and operated by Propeller Ads.
Confiant said Propeller Ads has a history of being a "purveyor of malicious demand," particularly Trojans that are disguised as Flash updates. And Stein said that's exactly what victims were faced with at the end of Tag Barnakle attack chain.
Stein said the threat actors behind Tag Barnakle worked with Propeller Ads because they could make money by redirecting traffic from the hijacked ad servers to Propeller, which buys traffic for ads on its network. "Propeller is the monetization partner of the attacker," he said. "The attacker is hacking the sites and ultimately a victim is going to get redirected to something nasty through the Propeller network, and that's how the attacker will get paid."
Because Propeller Ads was "pretty far down the stream" of the Tag Barnakle campaign, Stein said, the ad network may not have known its partner was hacking ad servers. However, he said Propeller Ads is "known to look the other way on things like this" in the past.
"In this campaign, whenever we were able to observe the payload in the final stage, it always came back to Propeller," he said. "There's really no good argument they can make when you take a random Propeller ad tag and refresh it and four out of five times you get either porn or malware."
According to information from several open source threat intelligence services, the deloplen[.]com domain was still connecting to malicious domains and was reported for abusive activity as recently as this month. In addition, the deloplen[.]com domain was cited in previous malvertising reports, including a November 2019 report from WordPress security company Wordfence, which uncovered a "prevalent" malware campaign known as WP-VCD.
Confiant contacted the organizations with compromised ad servers, but Stein said it did not contact Propeller Ads before the publication of the Tag Barnakle report. SearchSecurity contacted Propeller Ads several times, but the company did not respond.