AdGholas Malvertising Campaign Snared 1 Million Victims Per Day

A malvertising campaign dubbed AdGholas has pulled in as many as 1 million victims per day during its year-long run.

Discovered by Proofpoint and shut down this month after ad networks were alerted, AdGholas shows that attackers continue to evolve their techniques to be successful and remain stealthy and effective against the latest defensive advances.

For instance, AdGholas carefully targeted malicious ads and filtered their impressions based on the victim’s PC language settings, time zone and even whether the PC was OEM-branded.

In addition to precise targeting, it used carefully cloned websites to evade detection. And, it used steganography, which is the practice of hiding code within images, text, HTML and so on to evade detection by traditional means.

“The practice has legitimate uses in cryptography. But in this case, it was used to deliver malware that went undetected within seemingly benign JavaScript code,” the researchers noted in a blog.

The other trait that’s worth pointing out is the fact that AdGholas was a sprawling enterprise. Proofpoint researchers estimate that the referral networks, which comprise more than 20 different ad agencies and ad exchange platforms, supplied 1 to 5 million high-quality referrals per day, indicating that the aforementioned targeting was wildly successful. A high-quality referral is someone likely to click on an ad because of relevance and targeting—and likely to have a vulnerable PC.

Malvertising leverages legitimate ad networks and often dubious referral networks to display advertising across a wide range of web properties; these ads in turn are one of the biggest drivers of traffic to exploit kits being used to target users with so-called "drive-by" downloads. Large black-market ecosystems support the practice. But EK traffic dropped off precipitously in the second quarter of this year, and some wondered where the change would leave malvertisers.

“Although recent changes in the exploit kit landscape suggest a contraction in the drive-by malware scene, AdGholas shows that the threat is not diminishing,” Proofpoint researchers said. “Instead, AdGholas is a vivid reminder that attackers continue to evolve. Their increasingly sophisticated techniques enable them to remain stealthy and effective even in the face of the latest defensive advances.”

Photo © Georgejmclittle

What’s Hot on Infosecurity Magazine?