Hackers use over 10,000 hacked WordPress sites to launch malvertising campaign

Recently, network security company Check Point disclosed  a massive malicious advertising attack. The attacker hijacks user  traffic to gain black benefits by buying a website ad slot in a legal  coat.Researchers speculate that these unidentified ad slots have  joined the legitimate online advertising platform to ensure proper  access to their target customers – major online criminal gangs that  hijack victims’ network traffic, redirects Go to the crooks website or  use tools to push malware such as ransomware, online banking Trojans or mining plugins.

Check Point said in the report that Master134 is the black hand  behind this malicious attack. The gang has invaded more than 10,000  websites based on WordPress CMS 4.7.1. After taking over the site, it  opened its website advertising space and released it in real-time.  Auction advertising platform AdsTerra.These ad slots flow to major  online criminal gangs through ad resellers such as AdKernel,  AdventureFeeds, EvoLeads, and ExoClick.

After purchasing these ad slots, the attacker exploits unpatched  vulnerabilities in the user’s browser or related plug-ins (such as  Adobe’s Flash Player) to run malicious JavaScript code, and users who  click on these malicious ads will be attacked. An attacker can even  locate a user based on a less secure operating system, browser, or a  specific type of device.The advertising content that is  ultimately pushed to the user depends on the user’s identity, location,  type of device used, etc., and the online advertising field still lacks  the necessary verification technology. It is difficult for the industry  to thoroughly review each ad to avoid the distribution of malicious  content.This is very popular for online criminal gangs, because  they can not only buy “advanced” advertising space on legitimate online  advertising platforms, but also illegal income can be washed through the  payment system. They even compare the proceeds of the attack with the  advertising expenditure to measure the rate of return.Researchers  at Check Point said third-party ad publishing platforms and resellers  might be aware of these situations, but still choose to help parties in  the black interest chain complete the transaction.

According to the security company’s findings, the attacker is likely  to pay the Master 134 directly, and Master 134 pays the online  advertising system for the cost of the redirect or even the source of  the fuzzy traffic. The third-party platform used by an attacker to  purchase a website ad slot is legal, so an attacker can use the platform  to precisely control the user’s traffic.Such malicious  advertisements are still hanging on a large number of websites, and  about 40,000 users are even attacked and infected every week.