Confiant experts found that in the past nine months (since August 2019), unknown criminals have hacked more than 60 ad servers in order to inject their malicious ads onto a wide variety of sites.As a result, visitors of such resources are redirected to sites with the download of malware. This campaign is called Tag Barnakle.
Experts believe that hackers attack ad networks using older versions of the open-source advertising server Revive.
“If the attack succeeds, the attackers add their malicious code to existing ads. When such infected ads downloaded to various sites, malicious code intercepts and redirects their visitors to malicious resources, usually containing malware, masked as Adobe Flash Player updates”, – write Confiant experts.
Researchers have discovered about 60 Revive servers compromised by this hack group. It is reported that as a result, the grouping managed to place malicious ads on thousands of sites, and these ads are also transmitted to other advertising companies due to RTB integration between the services.
Overall, the talk is about 1.25 million of advertisements per day for one compromised RTB server.
According to analysts, Tag Barnakle is almost a unique case, since experts have not observed malicious campaigns of this magnitude related to advertising since 2016. Let me remind you that at that time Angler operators hunted massive hacks of advertising servers.
“But recently, hackers have taken a different approach: they create networks of fake companies that buy ads on legitimate sites, and then modify these ads to download malicious code. Thus, hackers remain in a kind of “gray zone”, since they still buy ad slots and do not break directly”, – write Confiant experts.
Confiant researchers also note that in recent week, they have only been engaged in notifying advertising companies about hacking incidents, but the hackers’ campaign is still active and attacks continue. Unfortunately, not all owners of advertising servers are ready to listen to information security specialists, so some of the compromises that are discovered are still active.
This is not the first time I have been saying that now it’s almost the most favorable time for attackers, hack companies amaze with scale and ingenuity, for example, I recently said that hackers spoof DNS settings to distribute fake coronavirus applications.