Hackers and scammers have taken a slightly different approach to seed malware. Instead of paying to run fraudulent ad campaigns, malvertising group Tag Barnakle went ahead and attacked ad servers.
Malware creators have been targeting an increasing number of ad servers. Doing so, helps the scammers run a very efficient and cost-effective ad campaign.
Infiltrating Ad ecosystem a lot cheaper and quicker for running infectious ad campaigns:
Hackers have so far managed to target and hijack more than 120 ad servers. The ongoing hacking campaign is just the first step for a group that displays malicious advertisements.
The new method adopted by the malvertising group ‘Tag Barnakle’ is concerning because it has the potential to cause a lot of damage in the long run.
Malvertising Campaign ‘Tag Barnakle’ Infected 120 Ad Servers https://t.co/AX3mMoC6Km
— The Mac Observer (@MacObserver) April 20, 2021
Traditionally, malware creators infiltrated the abundant ad ecosystem on the internet by posing as legitimate buyers. Simply put, scammers would purchase ad impressions from legitimate ad-serving companies.
Needless to mention, posing as a legitimate buyer requires resources. This includes time, money, and skills.
To enhance the efficacy of a malware ad campaign, scammers must invest time learning how the market works. Thereafter they have to meticulously create an entity that has a trustworthy reputation.
Tag Barnakle One Year Later: 120+ More Revive Adserver Hacks https://t.co/AF0FiTAGei
— Nicolas Krassas (@Dinosn) April 19, 2021
The learning process, as well as the setup, requires a lot of money. Moreover, scammers have to pay money to buy space for malicious ads to run.
Security firm Confiant, which discovered the new malvertising campaign, indicates the seemingly new Tag Barnakle group has taken a different and more profitable approach.
Confiant researcher Eliya Stein detailed the activities of the Tag Barnakle group in a blog post. Stein says, “Tag Barnakle, on the other hand, is able to bypass this initial hurdle completely by going straight for the jugular—mass compromise of ad serving infrastructure”.
“Likely, they’re also able to boast an ROI [Return on Investment] that would eclipse their rivals as they don’t need to spend a dime to run ad campaigns”.
How to avoid becoming a victim of malvertising ads and campaigns?
Tag Barnakle has reportedly infected more than 120 servers running Revive. The open-source app is for organizations that wish to run their own ad server rather than relying on a third-party service.
After successfully taking over an ad server, Tag Barnakle loads a malicious payload on it. Thereafter, the group uses client-side fingerprinting to ensure only a small number of the most attractive targets receive the malicious ads.
This approach has two benefits. Selectively targeting victims increases the ROI of the campaign. Moreover, it helps the group fly under the radar and evade detection. The servers that deliver a secondary, malicious payload to targets also use cloaking techniques.
technical details, code samples, and examples of obfuscation in this original post from @eliyastein of @WeAreConfiant
if you don't have this level of technical detail, DON'T have your PR person contact mehttps://t.co/PY75UAJDke
— Augustine Fou, PhD (@acfou) April 19, 2021
Ads crafted by the group appear quite sophisticated. The creators have obviously taken pains to prevent raising suspension.
The group is deploying multiple payloads to trick visitors into installing an unsafe app, paying fraudulent computer support fees, or taking other harmful actions.
So far, the malvertising group Tag Barnakle has placed its ads majorly on websites that serve questionable content. In other words, sites that offer illegal software and other products have been victims.
The company that owns the compromised ad servers is working to stop further attacks and protect its servers. General internet users, on the other hand, should avoid visiting any website that hosts questionable content.