Malvertising campaign affected millions of innocent users

A malvertising campaign was behind the breach of more than 120 servers. Over the past year. “Tag Barnakle” managed to inject code, in order to show malicious ads. The ads would redirect users to malicious websites. Thus, it exposes them to malware or scamware.

What is a malvertising campaign?

A malvertising campaign is the practice hackers use to incorporate malware in online ads. Usually, operators infiltrate the ad-tech systems, buy space on legitimate websites and then run malicious ads. In order to do this, they use “convincing personas”.

But Tag Barnakle is different, as it can bypass this step. Thus, it manages to “mass compromise the ad serving infrastructure,” according to Eliya Stein, Confiant security researcher.

Stein mentioned that this leap comes after the same campaign managed to compromise 60 servers in April, last year. The infections targeted the open-source Revive advertising server.

An upgrade to reach different devices

The malvertising campaign seems to keep the same path, but villains managed to upgrade their tools. So, hackers can target mobile devices, after last year they focused only on desktop computers. “Tag Barnakle is now pushing mobile targeted campaigns,” Stein added.

During this campaign, websites which receive ads through hacked servers use users’ data and deliver a JavaScript payload, later. These redirect then users to malicious websites. The main purpose is to lure them to a fake app store.

There, they list fake apps (security, safety, or VPN) that also carry hidden subscription costs. Also, some of them hijack the traffic for a second time.

According to Confiant, the reach of Tag Barnakle might be of “hundreds of millions of devices.” This happens because an important number of ad platforms and media companies use Revive’s server solution.

Stein considers this a “conservative estimate,” as hackers lure their victims with low frequency. The reason is “to slow down detection of their presence.”