Malicious AdGholas Advertising Campaign Infects Thousands and Targets Millions each Day

Malicious advertising, or what is known in the computer security community as Malvertising, has been a major concern for computer users who encounter the countless pop-ups, redirects, and sponsored links when surfing the Internet each day. According to security researchers at Proofpoint and Trend Micro, a particular malvertising campaign is known to infect thousands of computers with some form of malware and target millions in a given day.

The malvertising campaign in question was discovered in October of 2015 at a time when Proofpoint and Trend Micro were investigating other wide-spread malvertising attacks. The campaign uncovered, codenamed AdGholas, were actions that utilized sophisticated and aggressive techniques to evade detection. Furthermore, the campaign was successful for attacking 22 ad networks, ones that were known for displaying countless ads on several large legitimate sites.

It's a common practice for malvertising attackers to compromise some aspects of a legitimate advertising network so they may push out malicious ads to legitimate sites. In the case of the AdGholas campaign, attackers were found to use homegrown fingerprinting scripts that pushed out ads that if clicked, they would redirect users directly to their own malicious sites.

The use of traffic filtering controls from the advertising platforms enabled attackers to fine tune their targets and only deliver malicious advertisements to those who they were interested in targeting. Through the research of Proofpoint and Trend Micro, security experts were able to determine that the malvertising attackers searched for users who ran OEM versions of Windows, potentially allowing the campaign to go undetected by filtering out systems that would otherwise notice the advertisements.

The malware used in the AdGholas malvertising campaign ranged from several different types of threats. The attackers leveraged the popularized Angler and Neutrino exploit kits to serve the malware, which are two of the most popular spread matrix for malware this year. Proofpoint identified the malware as being Gootkit for systems located in Spain, Terdot.A for ones in Australia and Great Britain, and Gozi ISFB for systems located in Canada. While these were part of the AdGholas campaign malware that researchers identified, many others are in the mix targeting other regions of the world.

As far as the specifically targeted sites for the AdGholas malvertising campaign, there were many in the list of 113 legitimate sites that are rather large and high traffic sites. Some of the malicious ads were served on ad networks that feed ads to sites like The Verge, CBS Sports, PCMag, Sky.com, The New York Times, IBTimes, Telegraaf, ArsTechnica, Answers.com, and even Playboy.com. By hitting such sites with high traffic values, the number of systems targeted each day is over a million and has so far infected thousands each day of those sites unknowingly serving malicious advertisements.

Use of exploit kits throws some uncertainty to the full picture of new and aggressive malvertising campaigns. Though even with exploit kits seldom being shut down and brought back to life, somehow attackers are able to leverage the full potential of exploit kits to keep creating and spreading malware through ad networks. The key to the recent success of malvertising schemes like AdGholas, is the judicious actions of its perpetrators to keep their actions stealthy and only target systems that won't give away their secrets or quickly identify their path to delivering malicious advertisements.