Massive malvertising infection: check if you are at risk

Proofpoint researchers have discovered and analyzed a massive malvertising network operating since 2015.

According to Proofpoint, this malvertising operation, known as AdGholas, infected thousands of victims every day using a sophisticated combination of techniques.

AdGholas appears to have ceased operation in the wake of action by advertising network operators following notification by Proofpoint.

The malvertising campaign employed a complex and powerful combination of techniques that enabled them to operate undetected for over a year.

According to Proofpoint the AdGholas network drew traffic of 1 to 5 million high quality client hits per day.

“This campaign represents the first documented use of steganography in a drive-by malware campaign, and attacks employed “informational disclosure” bugs perceived to be low-risk to stay below the radar of vendors and researchers, Proofpoint said.

AdGholas employs ‘smart,’ multi-step filtering techniques to more precisely target client systems, including avoiding non-OEM and non-Nvidia/ATI-powered systems.

Softpedia explained that the cyber criminals were targeting users who had Nvidia or ATI drivers installed and OEM logos on their PCs, as a sign that they were using a highly customized OEM version of Windows.

Redirected sites avoid suspicion and improve effectiveness by closely mimicking the appearance of the legitimate site expected by the ad agencies.

When someone reached the infected landing pages, Softpedia said, they “would be infected with a broad range of malware, usually different based on the user’s location”.

Websites where the malicious ads were shown

Proofpoint highlighted that the traffic was gained from a variety of high rank referrers (websites).

“These networks and referers drove 1 to 5 million hits every day, and of these, 10-20% are redirected to the exploit kit,” Proofpoint said.

According to the report the malicious ads were shown on many high-profile websites, including Ars Technica, Answers.com, Daily Mail, Huffington Post, The New York Times, The Verge, Top Gear, Urban Dictionary, and PCMag.

Here are the referers and ad agencies listed by Proofpoint.

AD AGENCY

  • Rubicon
  • AdForm
  • Yahoo Inc
  • Adstract/PLYmedia
  • Roni SNW
  • Vic Advertise
  • Lemmonete
  • Taggify
  • Cappture
  • Admedo
  • MarsMediaGroup
  • Dataxu
  • Marathon Digital Media
  • Rhythm One
  • Conversant Media
  • Zedo
  • Floor6
  • Ezanga
  • OpenX
  • AdGorithms
  • Digilant
  • Adperium

REFERER

  • ad-emea.doubleclick.net
  • ad.50connect.co.uk
  • america.aljazeera.com
  • arstechnica.com
  • autonews.com
  • bigbrother.channel5.com
  • boards.footymad.net
  • boredomtherapy.com
  • byrdie.co.uk
  • cooltechlists.com
  • dailynews.com
  • e.hub.com.pl
  • en.what-character-are-you.com
  • fantasy.premierleague.com
  • fmsads.com
  • forums.bluemoon-mcfc.co.uk
  • heavy.com
  • index.about.com
  • investing.com
  • likes.com
  • mindpause.co
  • news.creaders.net
  • news.sky.com
  • nycgo.com
  • optimized-by.rubiconproject.com
  • ox-d.beforeitsnews.com
  • pophitz.com
  • rumorfix.com
  • sasinator.realestate.com.au
  • showads.pubmatic.com
  • sin1.g.adnxs.com
  • start.lenovo.com
  • thechive.com
  • thehollywoodgossip.com
  • uk.investing.com
  • uk.match.com
  • us-ads.openx.net
  • whatculture.com
  • www.123greetings.com
  • www.7sur7.be
  • www.accuweather.com
  • www.adelaidenow.com.au
  • www.answers.com
  • www.belfasttelegraph.co.uk
  • www.bestmoviesevernews.com
  • www.bostonherald.com
  • www.carsguide.com.au
  • www.cbssports.com
  • www.channel5.com
  • www.cliffsnotes.com
  • www.cnet.com
  • www.cosmopolitan.com
  • www.couriermail.com.au
  • www.daily.co.jp
  • www.dailymail.co.uk
  • www.dailymotion.com
  • www.dailytelegraph.com.au
  • www.ehow.com
  • www.elle.fr
  • www.eveningnews24.co.uk
  • www.football365.com
  • www.gazzetta.it
  • www.gumtree.com.au
  • www.heraldscotland.com
  • www.heraldsun.com.au
  • www.hockeybuzz.com
  • www.horoscope.com
  • www.huffingtonpost.es
  • www.ibtimes.co.uk
  • www.interia.pl
  • www.irishtimes.com
  • www.jamieoliver.com
  • www.larousse.fr
  • www.last.fm
  • www.lefigaro.fr
  • www.lifehacker.co.uk
  • www.liverpool-kop.com
  • www.livestrong.com
  • www.london24.com
  • www.lyricsmode.com
  • www.makeuseof.com
  • www.marieclaire.com
  • www.mediafire.com
  • www.movieroomreviews.com
  • www.msn.com
  • www.news.com.au
  • www.newsandstar.co.uk
  • www.newsnow.co.uk
  • www.nwemail.co.uk
  • www.nydailynews.com
  • www.nytimes.com
  • www.ourtime.com
  • www.parismatch.com
  • www.pcmag.com
  • www.pinkun.com
  • www.playboy.com
  • www.realestate.com.au
  • www.supanet.com
  • www.telegraaf.nl
  • www.theprizefinder.com
  • www.therichest.com
  • www.thesaurus.com
  • www.theverge.com
  • www.theweathernetwork.com
  • www.topgear.com
  • www.tvguide.com
  • www.urbandictionary.com
  • www.viamichelin.com
  • www.wordfind.com
  • www.wordplays.com
  • www.worldlifestyle.com
  • www.yellowpages.com.au
  • www.zerohedge.com

More on security

LastPass accounts can be “completely compromised”

LastPass vulnerable to simple phishing attack

Latest news

Partner Content

Show comments

Recommended

Share this article
Massive malvertising infection: check if you are at risk