A long-running, multi-faceted, malvertising campaign has been found using a technique that enables the sites involved to bypass the protections of ad blockers.
Malvertising campaigns can take a lot of different forms and they often involve multiple layers of compromised or malicious sites and lots of redirections. Some campaigns are connected to malware operations and use exploit kits, while others simply use visual or technical tricks to redirect users to sites with malicious or aggressive ads. The ultimate goal is to get the user to click on an ad to either download some piece of software or collect pay-per-click revenue for the group behind the campaign.
The new campaign, identified by researchers at Malwarebytes Labs, is known as RoughTed and it is deeply connected to both exploit kits and the world of sketchy browser extensions. The attackers behind the campaign are using a number of interesting techniques, including detailed fingerprinting of users, and are pushing several different payloads to victims. The scope of the RoughTed campaign is considerable.
“We estimate that the traffic via RoughTed related domains accumulated to over half a billion hits and was responsible for many successful compromises due to effective techniques that triage visitors and bypass ad-blockers,” Jerome Segura of Malwarebytes Labs wrote in a post analyzing the campaign.
“The threat actors behind RoughTed have been leveraging the Amazon cloud infrastructure, in particular, its Content Delivery Network (CDN), while also blending in the noise with multiple ad redirections from several ad exchanges, making it more difficult to identify the source of their malvertising activity.”
Segura said the researchers noticed the RoughTed campaign while looking at traffic associated with the Magnitude exploit kit. They noticed that the RoughTed domain was redirecting traffic, through a series of intermediate domains, to the Magnitude filtering gate, leading users to the exploit kit. Much of the traffic that’s flowing through the RoughTed campaign is coming from streaming sites and file-sharing sites, Segura said, often with the help of URL shorteners.
“These are areas where malicious actors love to lurk because of the sheer volume of traffic but also subpar standards for quality and safety of online advertising,” he said.
The RoughTed campaign also uses detailed browser fingerprinting and a clever trick to evade ad blockers. When a user hits a page that is associated with the campaign and has the requisite code, clicking anywhere on the page will initiate a connection to a tracking site, bypassing the protection of the major ad blockers. The sites associated with this campaign have been seen delivering malware, browser extensions, and fake updates stuffed with adware.
“This malvertising campaign is quite diverse and no matter what your operating system or browser are, you will receive a payload of some kind. Perhaps this should be something for publishers to have a deep hard look at, knowing what they may be subjecting their visitors to if they decide to use those kinds of adverts,” Segura said.