A massive malware campaign targeting 49 premium publishers ranked under Alexa 500 sites, has been discovered recently. The ultimate goal of the campaign was to exploit 44 adtech vendors and compromise the personal data of millions of customers visiting the 49 premium publisher sites.
How widespread is the campaign?
In a report released by The Media Trust, researchers found that the group behind the attack had designed an adaptive technique which would enable them to continue their infection process even after the detection/termination of one malware or a supply chain attack route.
“Each time attacks were identified and foiled, new ones would launch using other ad formats, fire up new supply chain routes, and employ unique code obfuscation techniques,” stated the researchers in the report.
Researchers further noted that hackers had targeted nearly 80% of the devices running on iOS in just two days of the attack campaign.
“Over the course of just two days, the Digital Security & Operations (DSO) terminated at their source more than 600,000 instances of malware, and, in so doing, shielded the visitors’ devices, around 80% of which ran on iOS. The attackers’ persistence leaves little doubt that the campaign succeeded in stealing personal information from the visitors of less secure, unmonitored sites,” indicated the researchers, in the report.
The attackers sneaked into three large ad exchanges to hijack legitimate ads. Later these legitimate ads were injected with malicious code to infect the visitors who visited the publishers’ site. The worst part of the attack was that the visitors’ did not even have to click on any of the ads. By visiting the sites, they were redirected to malicious content prompting them to enter their login details.
“Once DSO alerted the exchanges of the malicious ads, the exchanges quickly cut off the supplier further up the chain. Further down the chain, the publishers did the same as soon as they received their alerts. The various malware appeared to have their sights on iOS device users,” noted the researchers.
Researchers suspect that users who visited less monitored sites would have been affected in this adaptive attack campaign.