Malware RoundUP: The most prominent attacks over the past year

Malware RoundUP: The most prominent attacks over the past year
featured image

This blogpost was authored by Mike Bittner, Associate Director of Digital Security & Operations at The Media Trust.

Below is a round-up of the past year’s most prominent attacks on ad-supported and non-ad supported websites through third-party code suppliers. These attacks underscore how a growing number of bad actors are exploiting the opaqueness of the digital ad supply chain and, more broadly, e-commerce websites. 

Digital advertising-related breaches

Malvertising continues to be a lucrative investment for bad actors amid the continuing climb in digital market spend, which is expected to reach $357 Billion by 2020.

Estimates of how much fraudulent impressions, infringed content, and malvertising cost the US digital marketing and media industry is around $8.2 billion annually.

Hidden Bee Miner

  • Impact: Visitors in Asia of adult sites that feature infected ads. 
  • Method: Attacks are spread via malvertising. Visitors are redirected to the exploit kit page. Bad actors use encryption to execute and key exchange with the backend server in order to decrypt and execute the exploit. The compromised devices 

Master 134

  • Impact: 10,000 compromised unpatched WordPress sites, several online advertisement publishers, resellers and networks, including a company known as AdsTerra. Around 300M visitors affected.
  • Method: Master 134 posed as an online publisher and inflated site traffic by compromising 10K WordPress sites running 4.7.1 version. Traffic to these sites were redirected to Master 134’s site. Users were redirected to pages run by ad networks (like AdsTerra), which redirected users to a malicious domain that dropped banking trojans, ransomware, and bots into users’ systems.

Vidar and Gandcrab Double Whammy

  • Impact: Visitors of Torrent and other video streaming sites–documents, cookies and browser histories (including from Tor), currency from wide array of cryptocurrency wallets, data from 2FA software and text messages, screenshots.
  • Method: Site visitors are redirected based on their location to one of at least two exploit kits, Fallout and GrandSoft. Fallout delivers Vidar, which searches for data such as IP address, country, city, and ISP and sends to the C2 server. Vidar downloads the GandCrab ransomware, which encrypts the victim’s files, hijacks the wallpaper to display the ransom note.

3ve Takedown

  • Impact: $29M were stolen from advertisers and publishers. Google and 20 other companies collaborated with the FBI on catching the perpetrators.
  • Method: Three 3ve operations infected users’ computers, remotely controlled hidden browsers, stole corporate IP addresses, and spoofed websites.


  • Impact: Visitors of adult websites, online games, and blackhat sites whose ads are managed by low quality ad networks. 
  • Method: Ads included javascript that would redirect visitors to malicious pages and drop the Fallout exploit kit, which would install the malware payload. One campaign would distribute the Danabot password stealing trojan and another would install the Nocturnal stealer and GlobImposter ransomware.

Ads.txt Botnet Scam

  • Impact: Publishers whose sites are being spoofed
  • Method: Spammers would spoof the sites, use a botnet to inflate page views, and opened accounts with publishers’ approved resellers. 


  • Impact: 3 digital advertising platforms
  • Method: Malware was inserted into an ad disguised as creative from a major US department store. When the ad viewer’s device met certain conditions (ie, user agent is mobile-specific, batter level falls between 20-76%, referrer is specified), the viewer would be redirected to a malicious site. 


  • Impact: Small e-commerce operations with Magento-hosted sites. 
  • Method: The malware targets the sites’ payment pages. These companies used a variety of payment gateway providers. When users enter their credit card information and submit payment, the malware encrypts the information and sends it to a C2 server. The malware obfuscates the malicious domain and data collection activity to get passed blockers. It uses no cookies that might alert the user to the malware.


  • Impact: Apple device users who clicked on an ad featured in a Pulitzer Prize winning newspaper.
  • Method: When visitors clicked on the infected ads, the malware would check if the device was an iOS, etc. If the device is an iOS a fraudulent Apple Pay credit card information screen would prompt the user to enter their credit card details. The details would be sent to a C2 server. 


  • Impact: Visitors of a website that used third party tools to incorporate interactive web content like HTML5 and animation. 
  • Method: When visitors go to a site with a compromised third-party library, the malware will extract and collect the devices IPs en masse, break through VPNs in order to intercept the IPs. Sophisticated coding behind the malware suggests the use of dark code by a cybercrime ring.


  • Impact: 44 ad tech vendors and site visitors of 49 premium publications
  • Method: Sneaked past three ad exchanges via infected legitimate retailer ads. When an attack was identified and shutdown, others would launch. The shifts in supply chain routes made detecting the malware extremely difficult.

Non-advertising breaches via third-party code

Travel aggregator

  • Impact: A legacy website and partner platform where compromised by hackers. 880K credit cards may have been exposed.
  • Method: Details are scarce. It’s likely that the website and platform were retired but not being monitored for unsanctioned activities.

Education technology provider

  • Impact: 40M+ users—personal information including names, email addresses, shipping addresses, account logins.
  • Method: Unauthorized party gained access to a database that hosts user data for and some other sites within the company.

A Q&A online community

  • Impact: Account information of 100M+ users—including names, email addresses, encrypted passwords, data from user accounts, public questions and answers
  • Method: Malicious third party hacked one of its systems

Magecart Group 5

  • Impact: This group uses the same skimmer as other groups but specifically targets the web supply chain—i.e., online service providers for web merchants. 100K sites have been affected.
  • Method: Malicious script would overlay the login or transaction pages. In some instances, the malicious script would add an additional step to the transaction. 
  • Examples:
    • An event ticket distributor
      • Impact: All websites that run code from software companies that were targeted by crime groups using the Magecart malware. 
      • Method: The cyber syndicate targeted third-party code suppliers altered the code to change the behavior of sites that ran the compromised code. These third-party code suppliers developed code to enable or improve analytics, content delivery, etc.

Magecart Group 6:

  • Impact: Top tier targets like an airline and a consumer electronics retailer.
  • Method: The group has a strong grasp of how the targets process payments, so they can integrate their skimmer. Once a consumer fills out their payment information the skimmer grabs and sends the information before the user hits the purchase button.
  • Examples:
    • Airline
      • Impact: 380K+ users who entered card payment information to book their flights on the airline’s website and app. 
      • Method: Hackers used cross-site scripting—injecting code into the poorly secured web page in order to alter the compromised site’s behavior. The malicious code would grab data that travelers entered into a payment form. The code also affected the Android app.
    • Consumer electronics retailer
      • Impact: consumers who shopped on the site. 45M visitors might have been affected.
      • Method: Hackers injected the card skimming code into the payment page. It then siphoned off the card information into a C2 server with a similar domain name.


Find out more about The Media Trust’s Malware Attack Data.

To speak with our team about malware attack data, contact: Darcy Dinga or Alex Calic. Or call us at 703-893-0325.