Recent attacks have seen the AdSense network infected and Google Adwords manipulated by attackers, to create a new type of malvertising attack.
According to a blog by Sucuri senior malware researcher Denis Sinegubko, requests were made to the company to scan websites for malware as some randomly redirected to magazine websites, and in all cases, the symptoms were the same.
“Some users randomly got redirected when they clicked on links or loaded new pages,” Sinegubko said. “They all reported that the new page would show up for a second or two and then it would redirect them to those magazine websites.”
While some visitors regularly saw those redirects and even complained that the websites were barely usable because of them, Sucuri found that the redirect was due to third-party scripts, which looked quite plausible since all the websites ran third-party ads.
It revealed that sites with AdSense banners (not text ads) randomly redirected visitors to fake sites that “revealed health secrets”, such as skin care and anti-aging, IQ and brain enhancers and, weight-loss products that pretended to be reputable (although sometimes nonexistent) blogs and magazines.
However all of the fake sites are in different subdirectories of domains linked to lemode-mgz, which only contained empty pages. Three of the five domains were registered in December 2014, another in August 2014 and the other in 2013. “In all cases the whois data is protected and all this domains are hosted on Amazon network: EC2 and S3,” Sinegubko said.
Jared DeMott, security researcher at Bromium, said that typical “malvertising” would normally just serve up browser exploits or similar, but in this case it seems there was some other click-jacking like scam involved.
Jérôme Segura, senior security researcher at Malwarebytes, said that other companies had contacted them wondering if their computers had been infected, and many complained to various site administrators who could not see anything wrong with their own servers.
He said: “Typically malvertising is known for redirects that are malicious in nature, for instance a redirection to an exploit kit. Pushing scam pages instead is a little more unusual and typically only done in specific cases.
“In this case it appears as though the bad guys hijacked existing accounts, and in particular some that had large spending budgets. This is an interesting new approach for us and it does have some definite advantages [for the attacker]. For one, the criminals can still conduct their activity anonymously, since they are using somebody else’s profile.”
Also in the attack, two advertising campaigns were manipulated to feature malicious banners, and both used legitimate AdWords accounts with relevant banners. Sinegubko said: “I guess the scammers somewhow hijacked them — probably stole or guessed their credentials. Most likely those accounts didn’t have active campaigns at the moment, otherwise their owners must have noticed the significantly increased activity.
“The other possibility is the scammers created those fake accounts themselves using the legitimate sites as a cover.”
Segura called this more important, as a legitimate and approved AdWords account with significant funds was used. “This could explain why it took so long for Google to address the issue and definitely
leaves some questions unanswered,” he said.
“To me, this example confirms that malvertising has simply gone out of control and is probably the biggest infection vector we will continue to see in 2015. The bad guys could not hope for anything better to spread either malware or scams: anonymity, instant propagation and effectiveness.”
DeMott said: “The attack vector with ad-malware is to compromise one of the ad networks such that an attacker can insert their scripts/redirects into otherwise legitimate ads, which will only get served up to x% of visitors based on normal ad heuristics.”
Sinegubko doubted that this campaign is limited to AdSense, as there is no reason why scammers would not use other ad networks, and recommended webmasters to consider any third-party script that they place into their site code as a potential threat.
Itsik mantin, security researcher at Imperva, said: “Specifically in this incident the attackers didn’t have real issue with placing high bids, since according to the blog speculation, they were partying on the AdWord account of someone else, probably using stolen credentials.
“Once the victim is caught and brought in, the attacker can start phishing. One of the common phishing methods includes impersonating as a legitimate site and using the natural trust the victim has in this site, to convince him to enter his credit card number or any other secrets the attacker needs, for example his credentials to an AdWord account.”
