Confiant specialists have published a malware study called “Demand Quality Report for Q3 2019” dedicated to the analysis of malicious advertising. They found that almost 60% of all malicious ads are distributed by 3 ad networks.
Between January 1 and September 20, 2019, experts analyzed 120 billion malicious ads that forcibly redirected the user to malicious sites or downloaded a secondary payload.A malicious ad is defined by Confiant as one that performs unwanted behavior such as a forced redirect to scams, cryptojacking, or ads that infect a visitor’s device”, — clarify reporters of BleepingComputer.
Most of the advertising banners were associated with fraudulent schemes and some were used for crypto-jacking or malware infection of the user’s device for its subsequent inclusion in the botnet.
According to researchers, among the 75 advertising providers, more than 60% of malicious ads came from three platforms (the company does not disclose their names). In addition, most malicious advertising campaigns were carried out on weekends, and the largest on holidays.
Malicious advertisers tend to conduct their campaigns around periods where there is less active personnel monitoring the ad networks and thus may be slower to respond to attacks”, — note the experts.
In the third quarter of 2019, Scamclub, eGobbler, RunPMK, and Zirconium were responsible for most of the malicious ads distributed through ad networks.
Unlike other attackers, Scamclub does not make much effort to avoid detection by tracking the fingerprints of a browser or target audience. Instead, Scamclub conducts huge campaigns with dozens or hundreds of ads, relying on the fact that the protection of advertising platforms will not stand and will miss some of the banners on legitimate sites.
The eGobbler grouping uses vulnerabilities in browsers to redirect users to malicious sites. In a recent campaign, eGobbler exploited a vulnerability in the Apple WebKit browser engine to distribute more than 1 billion malicious ads.
Read also: Vulnerability in popular Truecaller application endangers 150 million users
The RunPMK group intercepts mobile traffic from iOS and Android devices to display fraudulent ads, for example, related to the drawing of cash prizes, etc.
Zirconium uses unique browser fingerprint tracking methods to display specific ads to users. During the attacks, attackers use obfuscation methods and usually distribute fraudulent advertising under the mask of providing technical support services.
Conclusions from Confiant:
The good news is that the number of malicious ads making it to a user’s browser is decreasing as solutions like Confiant’s filter out bad ads, publishers adopt the ads.txt file to prevent unauthorized ads appearing on their sites, and more vigilant and tighter controls among supply side platforms (SSP).
While we are moving in the right direction with the amount of malicious ads dropping from 0.25% to 0.15%, there are still a lot of unwanted ads making it to user’s browsers and most are only coming from a few lax players.