U.S., UK and German media publishers were targeted with an ad-delivered phishing and adware campaign over the weekend that quickly ramped to affect millions of visitors to dozens of media websites in just a few hours. The attack used more than 30 ever-changing url patterns to successfully slip past malware blockers on dozens of premium publishers, from local news and sports to specialty topics across the Alexa 500 covering cooking, travel, automotive, and government institutions.
Detected via tag and in-the-wild site scanning, the campaign used three major DSPs to carry out the attack. While the end result to the user was the same, the path the attack followed was comprised of two primary patterns:
- DSP 1 & DSP 2 directly delivered a malicious campaign via creative hosted by an independent ad server. [Figure 1] Upon satisfaction of certain conditions (e.g. Chrome, mobile device), the server delivered unnecessary content from one of two well-known hosting providers, verified this content’s delivery to a vulnerable device, and then forced a redirection which prompted the user to download a malicious payload in the form of adware. Typically, desktop are served an unwanted PC optimization program while mobile users are redirected to a range of malicious pages.
- DSP 3 was called by several premium SSPs and, if certain conditions were met, delivered unnecessary content from one of two well-known hosting providers. [Figure 2] Again, it performed checks to ensure content delivery before executing another url to prompt the user to download the unwanted adware, e.g., malicious payload.
These three DSPs propagated the campaign across the most-widely used SSPs to penetrate publisher websites. While not new, this most recent attack started in the early morning hours on Saturday, July 25, and evolved it’s attack structure through Monday, July 27. The campaign continued until The Media Trust worked with the primary affected adtech providers to identify the buyer seats and terminate the campaign at the source.
IcePick-3PC, a phishing campaign to flout data privacy regulations
First detected in October 2018 and sometimes referred to as eGobbler, the IcePick-3PC campaign leverages compromised third-party tools—used to implement interactive web content and animation in digital advertisements—to redirect and exfiltrate sensitive user and device information. These third-party tools are often pre-loaded onto client platforms by self-service agencies.
In this instance, the ad-delivered malvertising using libraries for compiling html 5 code to launch the attack by injecting extra code which led users to download the malicious content and enable device data collection.
Utilizing built-in JavaScript functionality permitted by the browser, the malware uses the WebRTC platform to establish a connection between the infected device and a remote host. This connection harvests device-specific data including device model, browser version and IP address. Targeting vulnerable mobile Android devices, the final stage of the attack initiates a prompt for the user to download a fraudulent Google Play Store application, which delivers persistent adware to the device.
Blocker-evading sophistication
These campaigns were detected on at least a dozen premium publishers where a malware blocker was in use. Malware blockers rely on a block list, in effect, a list of known urls or hosts to block against. In this dynamic situation the malicious urls are constantly changing, rendering a static or infrequently-updated block list ineffective. Publishers are left with the choice to block the compromised DSP—or downstream SSP—and forgo legitimate revenue.
Real-time scanning is required to not only identify the emerging attack but also to track (and even anticipate) its evolving patterns. The patterns need to be fed into the blocking appliance at least every 15 minutes to keep abreast of the attack.
Next Steps & Recommendations
The Media Trust shut down the attack with DSP 1 within a few hours after the campaign began, while DSP2 confirmed early Sunday morning. DSP 3 confirmed the buyer seat shut down on Monday morning. In the meantime, both Google and TAG’s Threat Exchange were provided key details to block and share campaign details through their channels. The next step is debriefing authorities to supplement their malvertising prosecution efforts.
This type of campaign is harmful to both consumers and publishers. Not only are redirects and unwanted programs damaging to the user experience, but also the unauthorized collection of device data could subject the website owner to regulatory violations.
For these reasons, adtech and publishers should:
- Identify upstream partners involved in the incident and confirm the buyer seat is shut down
- Request details on how your partners vet their clients, especially those using self-serve platforms
- Incorporate real-time scanning
