In a persistent campaign that features malicious ads on tens of millions, if not hundreds of millions, computers, the criminals have infiltrated more than 120 ad servers and introduced malicious code to legitimate announcements that redirect visitors to sites that promote malware and fraud. This has been going on since the past year, thus attracting benign devices in all external appearances. The malicious activity group behind this campaign is identified by the name Tag Barnakle.
Malvertising is the phenomenon of advertising while the viewers are visiting trustworthy websites. The advertising includes JavaScript that exploits software faults surreptitiously and attempts to make tourists download an unsafe application, pay computer support charges fraudulently or perform other dangerous acts. In general, Internet fraudsters pose as shoppers and pay ad distribution networks for malicious advertising to be shown on individual pages.
Resources are needed to infiltrate the ad ecosystem as a legitimate buyer. Firstly, scammers need to spend time studying the functioning of the industry and then create a reputable entity. The strategy also calls for the payment of money for space to display malicious advertising. Though this is not the method used by a malvertising group called Tag Barnakle.
“Tag Barnakle, on the other hand, can bypass this initial hurdle completely by going straight for the jugular—mass compromise of ad serving infrastructure,” Confiant researcher Eliya Stein wrote in a blog. “Likely, they’re also able to boast an ROI [return on investment] that would eclipse their rivals as they don’t need to spend a dime to run ad campaigns.”
Over the previous year, Tag Barnakle infected more than 120 servers running Revive, an open-source application for companies who want to run their ad server instead of a third-party provider. Once an advertising server has been hacked, Tag Barnakle loads it with a malicious payload. The group does not use customer fingerprint identification to recognize the most enticing targets, to assure the malicious ads are received only in limited numbers. The servers which supply the targets with a secondary payload also use coating techniques to ensure they also fly below the radar.
As Confiant posted on Tag Barnakle last year, the community found that about 60 Revive servers had been compromised. This feature allowed the group to distribute advertising on over 360 web assets. The commercials have triggered fake Adobe Flash updates that install malware on desktop computers while it is running. Tag Barnakle targets both iPhone and Android customers this time. Web pages receiving an ad from an affected server provide extremely confused JavaScript to decide if a visitor uses an iPhone or Android smartphone.
The advertisements are mainly aimed at highlighting fake protection, safety, or VPN apps with secret subscription fees or “siphon off traffic for nefarious ends.” The advertising may also be extended to thousands of individual websites with ad servers frequently combined with several publicity exchanges. Confident does not know how many terminal users are comprised but the company considers the number to be huge.