SafeUM
Home Blog Services Download Help About Recharge

Axarhöfði 14, 110 Reykjavik, Iceland

Iceland - 2015
SafeUM
Blog
Services
Download
Help
About
Recharge
Menu
Archive
TOP Security!
26 May 2017

RoughTed malvertising campaign bypassing ad blockers

With more than a half billion domains infected by the RoughTed malvertising operation, its effectiveness only continues to escalate, according to Jérôme Segura, lead malware intelligence analyst at Malwarebytes Labs, writing on the company blog.

While it peaked in March 2017, the scourge has been rolling out for more than a year with a dark cornucopia encompassing scams and exploit kits that go after a broad range of targets using their operating system, browser and geolocation to inject the appropriate payload, Segura wrote.

And its success in compromising systems lies in its sophisticated techniques that usurp control from victims and get around ad-blockers. Exacerbating attempts to mitigate the threat is the bad actors' strategy for obfuscating their activity. They have been using the Amazon cloud infrastructure – in particular, its Content Delivery Network (CDN) – "while also blending in the noise with multiple ad redirections from several ad exchanges, making it more difficult to identify the source of their malvertising activity," Segura explained.

By exploiting fingerprinting and ad-blocker bypassing techniques upstream, the RoughTed campaign has polluted thousands of publishers, ensnaring more than half a billion visits in just the past three months. Once struck, it delivers a mix of payloads, including scams, exploit kits and malware.

Analysis by the Malwarebytes team detected that most of the domains used in the spread of RoughTed were created via the EvoPlus registrar in small batches with a new .ru or .ua email address each time, Segura said. Each were being used as gateway intended to workaround ad-blockers.

The intention is to increase traffic on targeted websites via streaming video or file sharing sites associated with URL shorteners – sites popular with bad actors because of their lax security. For example, particularly invasive code embedded in RoughTed uses fingerprinting techniques that can profile users "and identify those that may be cheating the system by lying about their browser or geolocation," Segura explained.

And, the malvertising is agnostic when it comes to browsers and operating systems. It can deliver payloads to Mac users too through fake Flash Player updates. Segura urges that no matter the platform or browser you use to be careful when downloading extensions or software from third-party distributors.

And, the miscreants behind RoughTed are infecting mobile platforms as well, iOS and Android, by delivering their malvertising through automated redirects to a number of random apps that deliver commissions to them on each install. Obfuscated code with a RoughTed domain (suspecial.info) was also detected in at least one tech support scam observed in France, Segura pointed out.

As far as exploit kits involved, most of those targeted by RoughTed malvertising campaigns were in the U.S. and Canada, followed by the U.K., Italy, Spain and Brazil. "Malvertising may look easy on the surface but is actually a much more complex and deep-rooted issue," Segura said. The traditional solution has been to install ad-blockers, but the coders behinD RoughTed are clever in employing dynamically created scripts to force redirections that make their way past ad-blockers, he concluded.

When asked how the attackers continue to alter their code, Segura told on Thursday that threat actors are keenly aware of the tools and behaviors that may affect their chances of making a profit. "What we observed is a natural fight back to reach as large of an audience as possible."

As to what can be done to defend against RoughTed, Segura told that it is a good example of how diverse malvertising can be, for instance, serving scams or exploits. "That means users need to employ various types of protection to fend off those attacks, and it also shows that ad-blockers alone aren't enough."

One thing Segura and his team noticed early on was how this group went to great lengths to bypass ad-blockers and serve the most appropriate content for each potential victim. "Since more and more users are running an ad-blocker, the crooks had to find a way to still be able to distribute malicious ads, no matter what," he told.

And, as far as what this new delivery method tells us about the coders, Segura explained that these threat actors are very motivated and, without a doubt, generating a lot of revenues from affiliate commissions. "We can only expect more aggressive techniques to force malicious code in new ways that can circumvent the basic tools people have become accustomed to using."


Download SafeUM — communicate privately, without advertising and spam.

Tags:
information leaks fraud
Source:
SCMagazine
1571
Other NEWS
3 Jul 2020 safeum news imgage An encrypted messaging service has been infiltrated by police
4 May 2020 safeum news imgage Two-Factor Authentication ​What Is It and Why You Should Use It
12 Dec 2019 safeum news imgage Encryption is under threat - this is how it affects you
4 Nov 2019 safeum news imgage Should Big Decisions Be Based on Data or Your Intuition?
7 Jun 2018 safeum news imgage VPNFilter malware infecting 500,000 devices is worse than we thought
4 Jun 2018 safeum news imgage Hackers target Booking.com in criminal bid to steal hundreds of thousands from customers
1 Jun 2018 safeum news imgage Operator of World's Top Internet Hub Sues German Spy Agency
30 May 2018 safeum news imgage US says North Korea behind malware attacks
29 May 2018 safeum news imgage Facebook and Google targeted as first GDPR complaints filed
25 May 2018 safeum news imgage A new reason to not buy these cheap Android devices
24 May 2018 safeum news imgage Flaws in smart pet devices, apps could come back to bite owners
23 May 2018 safeum news imgage Google sued for 'clandestine tracking' of 4.4m UK iPhone users' browsing data
21 May 2018 safeum news imgage LocationSmart reportedly leaked phone location data onto the web
18 May 2018 safeum news imgage The SEC created its own scammy ICO to teach investors a lesson
17 May 2018 safeum news imgage Thieves suck millions out of Mexican banks in transfer heist
All news
SafeUM
Confidential Terms of Use Our technologies Company
Follow us
Download
SafeUM © Safe Universal Messenger

Axarhöfði 14,
110 Reykjavik, Iceland

Iceland - 2015