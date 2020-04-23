A mysterious group of hackers has been taking over ad servers for the past nine months to insert malicious ads into their ad inventory, redirecting users to malicious software download sites.

This clever piracy campaign was discovered last month by cybersecurity company Confiant and appears to have been running for more than nine months since August 2019.

Confident says hackers have targeted ad networks that use older versions of the Revive open source ad server. Hackers breach obsolete Revive servers and silently add malicious code to existing ads.

Once detailed ads are loaded on legitimate sites, the malware is hijacked and redirects site visitors to websites that offer malware files, usually disguised as Adobe Flash Player updates.

Image: Confident

Confident says he identified about 60 Revive ad servers that have been compromised by this group of hackers, which the company has named Tag Barnakle.

The company claims that the group has managed to load its malicious ads on thousands of sites, and the malicious ads are transmitted to other ad companies through the integration of RTB (real-time bidding) between services.

“If we take a look at the volumes behind one of the compromised RTB ad servers, we see peaks of up to 1.25 (million) affected ad impressions in a single day,” he said. say Eliya Stein, senior security engineer at Confiant.

The Barnakle tag is not the norm for malicious publishers



Stein says Tag Barnakle is a rare breed of abuser. Malicious ad groups that hack ad servers have not been operating on this scale since 2016.

In recent years, most malicious ad groups have worked through a different strategy: creating fake business networks that buy ads on legitimate sites, which they then modify to load malicious code.

This tactic has been prevalent in recent years because some shady ad networks are willing to wake up abusers who buy ads on their systems, as both parties make a profit. However, the modus operandi of Tag Barnakle is not something that advertising companies will be willing to present.

“We’ve seen other malicious advertisers do this, but it’s less widespread in general for several reasons,” Stein told ZDNet in an email. “First of all, I think there is a feeling among attackers that there is a legal gray area when it comes to commercial advertising, but once you commit to an ad server, there is no doubt that you have breached the law. a great way. “

“It’s also a different focus overall,” Stein added. “I imagine not all malicious advertisers have the skill and use that they can go out and hack infrastructure or ad advertising accounts. Paying for a media purchase (an advertising space) is the path of least resistance.”

The attacks continue



Stein tells ZDNet that Confiant has spent the past few weeks warning advertising companies that they have defaulted. However, not all advertising companies have yet acted on Confiant’s warnings about Tag Barnakle so far.

“The campaign itself is underway among ad servers that are still engaged,” Stein told ZDNet.

“We’ve notified the owner of all ad servers about the violation, but not everyone has tracked us down. Some of the ad servers have been affected briefly, perhaps just days before the ad server owner parked with the rape. Others continue to be live to this day, “he added.

“From our point of view, we continue to block ads on behalf of our customers that are received through ad placements previously associated with the engagement.”

Stein also said that Confiant will publish more reports about malicious advertisers hacking ad servers and their tactics will move forward.