In a persistent campaign that features malicious ads on tens of millions, if not hundreds of millions, computers, the criminals have infiltrated more than 120 ad servers and introduced malicious code to legitimate announcements that redirect visitors to sites that promote malware and fraud. This has been going on since the past year, thus attracting benign devices in all external appearances. The malicious activity group behind this campaign is identified by the name Tag Barnakle.
Resources are needed to infiltrate the ad ecosystem as a legitimate buyer. Firstly, scammers need to spend time studying the functioning of the industry and then create a reputable entity. The strategy also calls for the payment of money for space to display malicious advertising. Though this is not the method used by a malvertising group called Tag Barnakle.
“Tag Barnakle, on the other hand, can bypass this initial hurdle completely by going straight for the jugular—mass compromise of ad serving infrastructure,” Confiant researcher Eliya Stein wrote in a blog. “Likely, they’re also able to boast an ROI [return on investment] that would eclipse their rivals as they don’t need to spend a dime to run ad campaigns.”
Over the previous year, Tag Barnakle infected more than 120 servers running Revive, an open-source application for companies who want to run their ad server instead of a third-party provider. Once an advertising server has been hacked, Tag Barnakle loads it with a malicious payload. The group does not use customer fingerprint identification to recognize the most enticing targets, to assure the malicious ads are received only in limited numbers. The servers which supply the targets with a secondary payload also use coating techniques to ensure they also fly below the radar.
The advertisements are mainly aimed at highlighting fake protection, safety, or VPN apps with secret subscription fees or “siphon off traffic for nefarious ends.” The advertising may also be extended to thousands of individual websites with ad servers frequently combined with several publicity exchanges. Confident does not know how many terminal users are comprised but the company considers the number to be huge.
If you like the site, please consider joining the telegram channel or supporting us on Patreon using the button below.