CONTEXT:
In the midst of COVID-19, vogue of cyber brawl continues. Hackers have found another way to intercept your web request followed by your browser. A mysterious hacker’s group have been taking over ads’ server for the past nine months. In this technique intruders insert malicious ads into their ad inventory, which later on redirect users to malware download sites. This cheeky hacking campaign was discovered last month by cyber-security firm Confidant and appears to have been running for at least nine months, since August 2019.Sources says hackers have targeted advertising networks running old versions of the Revive open-source ad server. Hackers breach outdated Revive servers and silently append malicious code to existing ads and get root access to the system.
Confidant says it identified around 60 Revive ad servers that have been compromised by this hacker group which the company has codenamed Tag Barnakle. Barnakle is a rare breed of malvertiser. Malvertising groups that hack/exploit ad servers.
The company says the group has managed to load its malicious ads on thousands of sites, with the malicious ads being broadcast to other ad companies thanks to RTB (real-time bidding) integrations between services.
What is Revive?
The Free Open Source Ad Server is formerly known as OpenX Source. Revive Ad server is a free open source ad serving host system that enables publishers, ad networks, and advertisers to serve ads, manage campaigns, track and report campaign performance. It provides better user interface and it is one of the best web ads hosting platform which enables easy monetization of websites.
How does it work?
Once the user clicks on the maliciously scripted ads, then the user is tricked into the tainted ads which load on legitimate sites, the malicious code hijacks, and redirects site visitors to websites offering malware-laced files, usually disguised as Adobe Flash Player updates. It’s basically a kind of malvertising that tricks users into believing the consent of the ad.
What is MALVERTISING?
Malvertising is an attack in which perpetrators inject malicious code into legitimate online advertising networks. The code typically redirects users to malicious websites which manipulates the user to download hazardous files that result to the exploitation of the device.
The downloaded file may be capable of (RCE) Remote Code execution which could potentially grant the highest system privilege to the perpetrators. This type of attack is usually made possible due to browser vulnerabilities. It displays unwanted advertising, malicious content, or pop-ups, beyond the ads legitimately displayed by the ad network. This is done by executing Javascript.
Many browsers including Google Chrome, opera, safari are able to execute javascript.
What Does malvertising Do?
We are so fond of using ads and pop-ups while browsing that it may be tough and difficult to differentiate whether device has malvertising ability or if it’s just showing up another on-site advertisement hosted on its webserver.
Below, mentioned are some noticeable signs and symptoms to recognize this vulnerability:
- Browsers home page might change or differ than usual.
- Unwanted ads might show up on the place where it shouldn’t be.
- Web pages that you frequently visit often don’t display the same way.
- Website links redirect you to unintended pages having annoying interface having “DOWNLOAD” written everywhere.
- Your web browser is extremely slow
- New toolbars, plugins or extensions appear without your permission.
- Unwanted software applications start automatically installing without administrative permission.
- Your browser keeps crashing
- There might be an exponential rise in data usage.
How to Prevent Malvertising?
To prevent adware from downloading on your device, it’s important to be cautious of any websites that might look untrustworthy. The malvertisements are seemingly everywhere, but there are a few precautionary steps you can take:
- Update your REVIVE server/plugins to its latest version.
- A popular notice is one that says your PC is infected by a virus and an antivirus needs to be installed. This is a trap that many people fall for.They convince the users to download the antivirus which actually itself is a virus.
- Disable Flash players. It is a frequent target for attackers,which contains security vulnerabilities and exploits.
- Use script management add-ons. As most ads and scripts are automatically implemented, you can use a script blocking browser extension to control your web content.
- Install a full paid version of reputed antivirus software.
- Use Windows Defender and Malwarebytes Premium for a more secure system.
- Block browsers from self-executing java scripts.
