This article originally appeared in Infosecurity Magazine on February 4, 2019.
A malicious campaign has been targeting premium publishers using malvertising that looks like legitimate ads for popular retailers, according to The Media Trust.
Researchers today published a blog post explaining that a large-scale malicious campaign attempted to exploit 44 adtech vendors with the ultimate goal of attacking the millions of customers who visit 49 of the Alexa 500 premium publisher sites.
Nearly 80% of the devices targeted were running iOS. Of the more than 600,000 attacks that were detected and analyzed, researchers discovered that unsuspecting visitors didn’t even need to click on any of the ads. By visiting the sites, they were redirected to malicious content prompting them to enter their login credentials. This campaign is reportedly unique because of the malware’s adaptability.
“The group behind the attack had designed an adaptive campaign so that as soon as one malware and supply chain route was identified and terminated, another attack would immediately ensue using different malware and alternative supply chain routes,” researchers wrote.
“Each time attacks were identified and foiled, new ones would launch using other ad formats, fire up new supply chain routes, and employ unique code obfuscation techniques.”
Researchers also said, “combining resources that fed into the entire solution was key,” and they suspect that victims who visited less monitored sites likely had some of their credentials compromised.
“The DSO’s success in preventing further damage in an environment of increasingly sophisticated attacks speaks to the effectiveness of continuous monitoring, as well as cooperation,” said Mukul Kumar, chief information security officer and VP of cyber practice at Cavirin.
“Moving forward, in order to ensure an organization’s or site’s cyber posture, this approach must be the norm rather than the exception.”
Given that these adaptive campaigns are growing increasingly more potent and prolific, researchers advised, “the value of real-time scanning and analysis is the only way to keep abreast of these quickly morphing attacks. Anything less would have left the publishers and their vendors defenseless against the onslaught of attacks.”