Researchers have found out more than 120 ad servers were compromised by cybercriminals displaying malicious advertisements to millions of devices worldwide.
Codenamed Tag Barnakle, the malvertising campaign was first reported in April 2020, and over the past year, has affected double the number of unpatched open-source Revive ad servers and tens of millions of users — if not hundreds.
The malvertising campaigns usually require the attackers to come across as legit ad tech insiders and media buyers, but according to researchers at Confiant, Tag Barnakle bypasses this by compromising the ad server infrastructure.
“Tag Barnakle, on the other hand, is able to bypass this initial hurdle completely by going straight for the jugular — mass compromise of ad serving infrastructure. Likely, they’re also able to boast an ROI that would eclipse their rivals as they don’t need to spend a dime to run ad campaigns,” Security engineer and researcher at Confiant, Eliya Stein, wrote.
The malvertising campaign has targeted over 120 ad servers running Revive, mostly used by companies trying to avoid third-party ad servers by running one on their own.
The malvertisers load a malicious payload on compromised ad server and then use client-side fingerprinting and server-side cloaking to evade detection. Following is a depiction of Tag Barnakle’s payload flow.
Tag Barnakle has pivoted towards mobile malvertising
The researchers also found out that the malvertisers were pushing mobile targeted campaigns — Android and iOS — instead of desktops, as per last year’s findings.
Last year, Tag Barnakle was found to compromised a total of 60 ad servers displaying ads over 360 websites directly but indirectly affected tens of thousands of websites due to the RTB (real-time bidding) integrations of hacked ad servers with several ad exchanges. The malicious desktop-targeted ads were hidden behind fake Flash updates.
While the scam seems to have shifted to more portable devices, its root is still the same. Users are lured to obscure VPN, security and safety apps that have either hidden costs or install adware to profit from unsuspecting users.
The researchers also found that, like in previous instances, a domain used by Propeller Ads was used to serve the malicious ads and payload to Android and iOS users.
“The compromises seem to impact some moderately trafficked publishers and plenty of long-tail websites, however, the list includes a sizable amount of ad platforms and media companies that have built their technical stack on Revive,” Stein explained.