Check Point: Hackers use over 10,000 hacked WordPress sites to launch malvertising campaign

by do son · Published August 6, 2018 · Updated August 6, 2018

Recently, network security company Check Point disclosed a massive malicious advertising attack. The attacker hijacks user traffic to gain black benefits by buying a website ad slot in a legal coat.

Researchers speculate that these unidentified ad slots have joined the legitimate online advertising platform to ensure proper access to their target customers – major online criminal gangs that hijack victims’ network traffic, redirects Go to the crooks website or use tools to push malware such as ransomware, online banking Trojans or mining plugins.

Check Point said in the report that Master134 is the black hand behind this malicious attack. The gang has invaded more than 10,000 websites based on WordPress CMS 4.7.1. After taking over the site, it opened its website advertising space and released it in real-time. Auction advertising platform AdsTerra.These ad slots flow to major online criminal gangs through ad resellers such as AdKernel, AdventureFeeds, EvoLeads, and ExoClick.

After purchasing these ad slots, the attacker exploits unpatched vulnerabilities in the user’s browser or related plug-ins (such as Adobe’s Flash Player) to run malicious JavaScript code, and users who click on these malicious ads will be attacked. An attacker can even locate a user based on a less secure operating system, browser, or a specific type of device.

The advertising content that is ultimately pushed to the user depends on the user’s identity, location, type of device used, etc., and the online advertising field still lacks the necessary verification technology. It is difficult for the industry to thoroughly review each ad to avoid the distribution of malicious content.

This is very popular for online criminal gangs, because they can not only buy “advanced” advertising space on legitimate online advertising platforms, but also illegal income can be washed through the payment system. They even compare the proceeds of the attack with the advertising expenditure to measure the rate of return.

Researchers at Check Point said third-party ad publishing platforms and resellers might be aware of these situations, but still choose to help parties in the black interest chain complete the transaction.

According to the security company’s findings, the attacker is likely to pay the Master 134 directly, and Master 134 pays the online advertising system for the cost of the redirect or even the source of the fuzzy traffic. The third-party platform used by an attacker to purchase a website ad slot is legal, so an attacker can use the platform to precisely control the user’s traffic.

Such malicious advertisements are still hanging on a large number of websites, and about 40,000 users are even attacked and infected every week.

Via: theregister