360 Guide: Inside the 'Master134' malvertising campaign Article 3 of 7

Bits and Splits - stock.adobe.co

Inside 'Master134': Adsterra's history shows red flags, abuses

Adsterra denied it was involved in the Master134 malvertising campaign, but a review of the company's history reveals many red flags, including activity in a similar campaign.

When Check Point Research published its report on an extensive malvertising campaign that involved several major online ad networks, one company in particular was highlighted as the driving force behind the scheme: Adsterra.

The Cyprus-based ad network, founded in 2014, describes itself as a "premium advertising network serving over 10 billion geotargeted ad impressions per month." By most accounts, the company appears to be exactly that: a major online advertising network, positioned as a competitor to Google's AdSense, that frequently appears at top industry events. Adsterra works with leading vendors in the online advertising space and boasts Alibaba-owned e-commerce giant Lazada Group as one of its partners. (Editor's note: SearchSecurity contacted Lazada Group for confirmation of the partnership but has not received a response.)

However, Check Point researchers believe there's more to Adsterra. The vendor's report puts the "powerful and infamous" company at the top of the "Master134" Malvertising campaign and claims the company "has been purchasing traffic from a known cybercriminal posing as an ordinary publisher, which obtains its traffic via malicious activities."

Master134 malvertising operation
The redirection/infection chain of the Master134 campaign.

In addition, SearchSecurity's investigation into Adsterra's history revealed other reports from security vendors implicating the ad network in malicious activity, including a major malvertising campaign that had not be previously connected to Adsterra.

Adsterra's links to Master134

Check Point found that four domains that received the hijacked WordPress traffic from the Master134 server -- cpm10.com, cpm20.com, hibids10.com and sloi1.com -- belong to Adsterra. A fifth domain, onclkds.com, was also cited in the report but was not attributed to Adsterra (see part five of this series for more). These domains served as the first redirection stage within the online ad ecosystem and, according to Check Point researchers, established that the Master134 threat actors were "working directly" with Adsterra.

Master134 Adsterra AdKernel ExoClick
How the Master134 campaign worked.

Adsterra issued a statement via its Facebook page disputing Check Point's report and the characterization that it was a willing participant in the Master134 campaign. The company also stated that all publishers' accounts mentioned in the Check Point article had been suspended.

"However, the logs from the article demonstrate that those ads came from third-party networks, which are hard to control. Third-party ads served by other ad networks connected to our supply using RTB/XML protocols. We will contact the networks that were mentioned in that article and notify them of the problems discovered," Adsterra stated.

Adsterra Master134 statement
Adsterra posted a statement on Facebook about Check Point's Master134 report,

Adsterra has not responded to requests for additional comments.

Lotem Finkelsteen, Check Point's threat intelligence analysis team leader and one of the contributors to the Master134 report, said Adsterra's denials don't mesh with the facts; the campaign was simply too intricate to believe Adsterra's involvement was purely accidental.

"All of the flows and transmissions through the ad networks are very complex," Finkelsteen said. "We believe this is part of an extremely financially motivated effort. And we believe that Adsterra either knew this was going on and allowed it, or they chose to ignore the signs."

The WordPress traffic went through several redirection stages and always ended up at malicious domains, including the RIG and Magnitude Exploit kits, and never once was purchased by legitimate publishers; that would not have been possible, Finkelsteen said, without some type of coordination in the campaign.

We have no doubt Adsterra has been tunneling malicious activity for years now, and they constantly ignore every security report we or others serve them.
Lotem FinkelsteenThreat intelligence analysis team leader, Check Point Research

Adsterra claimed that third-party ads on its network were malicious and were to blame for the redirection. However, a random malicious ad on Adsterra's network would have simply infected the WordPress traffic directly. Instead, Check Point researchers said Adsterra's domains redirected the traffic to four other third-party ad networks.

Adsterra claims it had no idea the Master134 publisher account was malicious, but the account's 134.249.116.78 IP address has been flagged in numerous security blogs, threat reports and alerts prior to Check Point's report that are easily obtainable with a simple Google search of the address. One such security alert from cybersecurity vendor NinTechNet issued in November 2017 warned not only of the 134.249.116.78 IP address, but also of cpm20.com -- Adsterra's own domain.

Despite the company's claims that it monitors all campaigns and stops malicious activity, the Master134 server sent large volumes of traffic to Adsterra's network over an extended period of time, and Finkelsteen said the company never put a stop to it.

Adsterra's past

While Adsterra denied any wrongdoings, the ad network was involved in a previous malvertising campaign that was strikingly similar to Master134.

Indeed, Check Point's report noted this isn't the first time Adsterra has been cited in reports from threat researchers. A 2016 report from endpoint security vendor Malwarebytes called out Adsterra as being part of a campaign similar to Master134. According to the report, malicious ads from Adsterra's network were largely responsible for a spike in activity for the Magnitude exploit kit.

"In the past two weeks, we have documented over 400 unique malvertising incidents coming out of Adsterra," Malwarebytes Lab wrote in the 2016 report. "These malicious advertisements were displayed on a variety of adult sites and torrent portals and the ultimate payload was the Cerber ransomware."

Adsterra's connections to malicious activity go deeper still. The Malwarebytes report references "Adsterra (AKA TerraClicks)" and attributes the domain terraclicks.com to the company. According to DNS lookup service Robtex, the terraclicks.com domain is owned by a similarly named company called Terra Advertising Corp. in Kiev, Ukraine.

A search of the terraclicks.com on the AbuseIPDB service, an IP address blacklist for webmasters, connected the domain's IP address, 198.134.112.241, to Ad Market Limited, which is the corporate name of Adsterra. In addition, captures of the domain from 2015 on the Internet Archive's Wayback Machine display the Adsterra logo and says, "This domain is operating by Adsterra Premium Ad Network."

Adsterra Terraclicks
Terraclicks.com is another Adsterra domain that's been implicated in malvertising schemes.

Malwarebytes also reported that its Anti-Malware Premium product had blacklisted the terraclicks domain and effectively blocked all ads served via Adsterra. The terraclicks.com domain has been cited in a number of reports and complaints regarding browser hijacking, redirects and pop-up ads in recent years. But malicious activity connected to the domain goes beyond basic adware schemes.

For example, FireEye cited the terraclicks domain in a 2017 report on malvertising campaigns. According to FireEye researcher Zain Gardezi, terraclicks.com was one of several domains and ad services that redirected traffic to sites hosting the Magnitude exploit kit (a campaign similar to the one involving Adsterra documented by Malwarebytes in 2016). Gardezi said that the Terraclicks ads were "still being used to move traffic to the Magnitude exploit kit" as recently as the third quarter of 2018.

More recently, CSE CyberSec, a cybersecurity vendor based in Rome, published a report on an extensive malvertising campaign in January 2018 that also featured compromised WordPress sites. The campaign, dubbed "Operation EvilTraffic" by the research team, describes a complex scheme of malware infections, traffic redirection and SEO poisoning that occurred in late 2017; researchers observed threat actors exploiting vulnerabilities in 35,000 WordPress sites and uploading malware to the sites that forced browsers to redirect to other domains.

"When the advertising banners are no longer effective to generate revenues because of [the] spreading of adblockers, you have two chances: Inject a JavaScript cryptocurrency miner in your web pages [or] compromise a set of vulnerable websites creating a huge redirect chain towards advertising websites and hijack all visitors to it," the report stated.

According to CSE CyberSec, which is now part of Italian security vendor Cybaze Group, WordPress traffic was redirected to two domains and then moved to various advertising sites, which were boosted by the malware using SEO poisoning. While the report doesn't mention Adsterra or Ad Market Limited, the researchers said one of the two malicious domains, hitcpm.com, "acts as dispatcher to different sites registered to this revenue chain." Multiple WhoIs data sources, including the AbuseIPDB and DomainTools, show the hitcpm.com domain and its IP address, 198.134.112.244, point to Ad Market LLC.

Antonio Pirozzi, director of Cybaze Group's Z-Lab and co-author of the EvilTraffic report, confirmed the research findings regarding hitcpm.com but could not say whether the research team was aware the domain belonged to Adsterra at the time of its investigation.

In addition, AlienVault's Open Threat Exchange service shows the indicators of compromise for Operation EvilTraffic include the domains cpm10.com and cpm20.com; those domains, according to Check Point's research, belong to Adsterra and were specifically used in the redirection chain for the Master134 campaign.

The data indicates that Adsterra was involved in two different redirection campaigns in 2017 and 2018, both relying on hijacked WordPress traffic.

Fraudulent traffic schemes

Check Point researchers monitored and analyzed the traffic flows, Finkelsteen said, but did not create publishers or advertiser accounts on Adsterra or the other ad networks to observe how the platforms market traffic and identify buyers and sellers. Therefore, Finkelsteen said, it's unclear how Adsterra was able to direct the WordPress traffic solely to threat actors running the exploit kits and not legitimate publishers seeking ad traffic.

Roy Rosenfeld, head of the Fraud Lab at DoubleVerify, a New York-based company that specializes in online ad authentication and fraud prevention, has a theory. Rosenfeld said he's observed redirected and fraudulently generated traffic schemes similar to Master134, which can involve pop-up or pop-under ads, hijacked WordPress domains, and piracy and illegal streaming sites.

"Much of the traffic generated in schemes like the one in Check Point's report is very, very cheap to purchase," he said. "And there's a lot of it. And the people at the end of the chain, the so-called advertisers that are trying to push malware on those users need to sustain a profitable operation by buying the cheapest traffic out there."

Rosenfeld said DoubleVerify's Fraud Lab is familiar with the companies mentioned in Check Point's report and that they specialize in buying and selling cheap traffic.

"We know these companies because sometimes they end up selling hijacked pop-ups, for example, to actual, legitimate websites that have real content and real ads," he said.

Threat actors looking for such cheap traffic know these companies as well. Therefore, he said, it would have been fairly simple for an ad network like Adsterra to receive the hijacked traffic from the Master134 server operators and sell it at a low price to other ad networks, who then sell the traffic again to threat actors, without ever needing any kind of one-to-one communication between Adsterra and the resellers.

"If you've done this long enough, then you know where you need to go to buy traffic in bulk at low prices," Rosenfeld said. "It doesn't have to be an orchestrated scheme throughout. You have someone that specializes in obtaining the traffic, and someone that specializes in monetizing that traffic, and they can easily join forces through business transactions."

One thing, however, is clear, according to Finkelsteen. "We have no doubt Adsterra has been tunneling malicious activity for years now," he said, "and they constantly ignore every security report we or others serve them."

As a result, Check Point blacklisted Adsterra's domains across its products.

Adsterra has not responded to requests for comment regarding additional reports.

Read part three of our six-part series on the Master134 campaign and malvertising threats.

Next Steps

This six-part series examines the recent Master134 malvertising campaign and the role online ad networks played in the malicious activity.

Part one: 'Master134' malvertising campaign raises questions for online ad firms
Part two: Adsterra's history shows red flags, abuses
Part three: More ad networks tied to 'Master134' campaign
Part four: ExoClick tied to previous malvertising campaigns
Part five: Propeller Ads connected to malvertising campaign
Part six: Ad networks' 'blind eye' threatens enterprises

Dig Deeper on Threats and vulnerabilities

360 Guide: Inside the 'Master134' malvertising campaign

Article3 of 7

Up Next

Networking
CIO
Enterprise Desktop
Cloud Computing
ComputerWeekly.com
Close