Bits and Splits - stock.adobe.co
Inside 'Master134': Ad networks' 'blind eye' threatens enterprises
Online ad networks linked to the Master134 malvertising campaign and other malicious activity often evade serious fallout and continue to operate unabated.
The online advertising networks implicated in the "Master134" malvertising campaign have denied any wrongdoings, but experts say their willingness to turn a blind eye to malicious activity on their platforms will likely further jeopardize enterprises.
In total, eight online ad firms -- Adsterra, AdKernel, AdventureFeeds, EvoLeads, ExoClick, ExplorAds, Propeller Ads and Yeesshh -- were connected to the Master134 campaign, and many of them presented similar explanations about their involvement with the malvertising campaign. They insisted they didn't know what was going on and when informed of the Malvertising activity, they immediately intervened by suspending the publisher accounts of the malicious actors abusing their platforms. However, none of the ad networks were willing to provide names or account information of the offending clients, citing vague company privacy policies and government regulations that prevented them from doing so.
A cybersecurity vendor executive, who wished to remain anonymous, said it's likely true that the ad networks were unaware of the Master134 campaign. However, the executive, who has worked extensively on malvertising and ad fraud-related campaigns, said that unawareness is built by design.
"They don't necessarily know, and they don't want to know, where the traffic is coming from and where it's going because their businesses are based on scale," the executive said. "In order to survive, they have to ignore what's going on. If they look at how the sausage is made, then they're going to have issues."
The use of various domains, companies, redirection stages and intermediaries make it difficult to pinpoint the source of malicious activity in malvertising schemes. Tamer Hassan, CEO and co-founder of White Ops, a security vendor focused on digital ad fraud, said complexity makes the ecosystem attractive to bad actors like malware authors and botnet operators, as well as ad networks that prefer to look the other way.
Tamer HassanCTO and co-founder, White Ops
"It's easy to make it look like you're doing something for security if you're an ad network," Hassan said. "There aren't a lot of ad companies that work directly with malware operators, but there are a lot of ad companies that don't look at this stuff closely because they don't want to lose money."
"Malware Breakdown," an anonymous security researcher that documented early Master134 activity in 2017, offered a similar view of the situation. The researcher told SearchSecurity that because Propeller Ads' onclkds.com domain was being used to redirect users to a variety of different malvertising campaigns, they believed "the ad network was being reckless or turning a blind eye to abuse."
In some cases, Hassan said, smaller ad networks and domains are created expressly for fraud and malvertising purposes. He cited the recent Methbot and 3ve campaigns, which used several fraudulent ad networks that appeared to be legitimate companies in order to conduct business with other networks, publishers and advertisers. "The ad networks were real, incorporated companies," he said, "but they were purpose-built for fraud."
Even AdKernel acknowledges the onion-like ecosystem is full of bad publishers and advertisers.
"In ad tech, the situation is exacerbated because there are many collusion players working together," said Judy Shapiro, chief strategy advisor for AdKernel, citing bad publishers and advertisers. "Even ad networks don't want to see impressions go down a lot because they, too, are also paid on a [cost per impression] basis by advertisers."
There is little indication, however, that these online ad tech companies have changed how they do business.
Lessons learned?
Following the publication of the Master134 report, Check Point researchers observed some changes in activity. Lotem Finkelsteen, Check Point Research's threat intelligence analysis team leader and one of the contributors to the Master134 report, said there appeared to be less hijacked traffic going to the exploit kit domains, which suggested the ad networks in the second redirection stage -- ExoClick, AdventureFeeds, EvoLeads, ExplorAds and Yeesshh -- had either been removed from the campaign by the Master134 threat actors or had voluntarily detached themselves (Yeesshh and ExplorAds closed down the domains used in the campaign sometime in December).
But Adsterra is another story. More than six months after the report was published, Finkelsteen said, there's been no indication the company has changed its behavior.
Meanwhile, the Master134 campaign changed somewhat in the aftermath of Check Point's report. The threat actors behind the 134.249.116.78 IP address changed the redirection paths and run traffic through other ad networks, Finkelsteen said.
Aviran Hazum, mobile threat intelligence team leader at Check Point Research, noted on Twitter in September that the campaign had a "new(ish) URL pattern" that moved hijacked traffic through suspicious redirection domains and ad networks like PopCash, a Romanian pop-under ad network that was blocked by Malwarebytes for ties to malicious activity.
AdKernel said it learned a lesson from the Master134 campaign and pledged to do more to remove bad actors from its network. However, a review of several of the domains that bear the "powered by AdKernel" moniker suggests the company hasn't successfully steered away from suspicious ad networks or publishers.
For example, one ad network customer named AdTriage has a domain called xml.adtriage.com that looks exactly like the self-service portals on the junnify and bikinisgroup sites that were also "powered" by AdKernel. AdTriage, however, doesn't appear to be a real company -- adtriage.com is filled with "Lorem Ipsum" dummy text. On the "About Us" page, the "Meet our team" section has nothing except text that says "Pics Here." (WhoIs results show the domain was created in 2011, and captures of the sites from that year on Internet Archive's Wayback Machine reveal the same dummy text.)
Escaping consequences
The recent history of malvertising indicates ad companies that issue denials are quite capable of moving onto the next client campaign, only to issue similar denials and reassurances for future incidents with little to no indication that their security practices have improved.
Check Point's Master134 report, as well as earlier malvertising research from FireEye and Malwarebytes, doesn't appear to have had much, if any, effect on the reputations of the five companies. They all appear to be in good standing with the online ad industry and have seemingly avoided any long-term consequences from being associated with malicious activity. ExoClick and Adsterra, for example, have remained visible through sponsorships and exhibitions at industry events, including The European Summit 2018 and Mobile World Congress 2019.
Online ad companies are often given the benefit of the doubt in malvertising cases such as Master134 for two primary reasons: Ad networks are legitimate companies, not threat groups, and digital ads are easy for threat actors to take advantage of without the help or complicit knowledge of those networks.
But Check Point Research's team has little doubt about the involvement of the ad networks in Master134; either they turned a blind eye to the obvious signs of malicious activity, Finkelsteen said, or openly embraced them to generate revenue.
Other security vendors have also publicized malvertising campaigns that redirect traffic to known exploit kits. FireEye reported in September that a malvertising campaign used the Fallout exploit kit to spread the GandCrab ransomware to victims primarily in Southeast Asia. According to the report, the malicious ads profiled users' browsers and operating systems.
"Depending on browser/OS profiles and the location of the user, the malvertisement either delivers the exploit kit or tries to reroute the user to other social engineering campaigns," the report stated.
It's difficult to determine exactly how much of the online ad ecosystem has been compromised by malicious or unscrupulous actors, said Adam Kujawa, director of malware intelligence at Malwarebytes.
"Advertising is the reason the internet exists as it does today," he said. "It's always going to be very close to the heart of all things that happen on the internet. The reason we see so much adware is because these companies kind of … live in a gray ."
The gray can be even murkier on the technical side. Despite being key components in the Master134 campaign, the xml.bkinisgroup.com and xml.junnify.com URLs raise only a few alarms on public URL and file scanning services. VirusTotal, for example, shows that all 67 malware engines used in the scans rate both domains as "clean," though the Junnify domain did receive a -28 community score (VirusTotal community scores, which start at zero, represent the number of registered users who vote a file or URL as being safe or unsafe).
Malvertising campaigns like Master134 that use multiple traffic flows and advertising platforms could become increasingly common, according to the Check Point report.
"Due to the often complex nature of malware campaigns, and the lack of advanced technology to vet and prevent malicious adverts from being uploaded onto ad-network bidding platforms," the researchers wrote, "it is likely we will see more malvertising continue to be a popular way for cyber criminals to gain illegal profits for many years to come."