Security firms working with ad networks appear to have shuttered a large and complex malvertising network that had been spoofing real brand websites and ad creative to generate millions of hits per day.
Twenty-two ad platforms were unknowingly directing traffic to the network known as AdGholas, which baited web users to sites that spoofed those of real brands in order to get them to click on ads that would infect their computer.
Proofpoint, a security research firm, first identified AdGholas in 2015. While malvertising is a common form of cybercrime, Proofpoint observed that AdGholas used two very sophisticated techniques of building traffic to its malware sites. Firstly, malicious code was hidden in ad images (a technique called steganography), which would sneak it past security software.
What’s more, the network was programmed to filter out web users who may have been savvy enough to become suspicious of being on a spoofed website. Each potential victim was profiled according to their location, time of day, browser setup and the types of software installed on their computer to determine how likely they were to be in-the-know on security matters.
“The scale and sophistication of techniques in this campaign make AdGholas stand out from others that we and other researchers have observed,” said Patrick Wheeler, director of threat intelligence for Proofpoint.
This system drove between one and five million hits per day, and of those millions, thousands of devices were then directed to spoof sites to be infected with malicious programs called exploit kits.
These exploit kits could give AdGholas’ creators access to infected machines, allowing them to observe the user, plant software on the machine or control various applications.
“It’s important to remember that the legitimate sites themselves were not compromised – like the ad networks themselves, the brands that owned these legitimate sites were abused by the AdGholas campaign,” said Wheeler.
When it comes to protecting a brand’s reputation from such scams, Wheeler said that “scanning for lookalike domains registered in other countries, and for stolen creative (using image searches, for example) can help identify cloned sites.
“As with fraudulent social media accounts, once cloned or lookalike sites and domains are identified, organizations can take a variety of measures from legal action or reporting abuse to domain registrars to mitigate their risk.”
