A giant malvertising campaign was uncovered by experts from ProofPoint. The campaign was dubbed AdGholas, and the number of infect users is estimated to be around 1 million.The malvertising campaign was launched in 2015 and ran for more than a year and was shut down recently by alerted ad networks.
How Did the AdGholas Malvertising Infect Users?
The AdGholas campaign used drive-by trick users into infecting their systems. The large proportion of the attack was due to the innovative methods the crooks used to stay hidden. AdGholas was spread with 22 ad networks. The malicious ads weren’t limited to shady websites like usual but managed to get into legitimate domains as well. The malvertiser used filtering to target users with OEM type Windows systems using ATI or Nvidia drivers. The targets were found trough the drivers and logos installed on the user’s PC. This filtering is likely the reason why AdGholas went under the radar for so long. Another tactic used to hide the attack was the close mimicking of the malicious redirects to look like legitimate sites. That’s very effective, as users are much more likely to trust advertisements on a site they’re already familiar with and trust.
The OEM logos targeted by the malvertiser.
Types of malware used by AdGholas
AdGholas used the Angler exploit kit until it became unavailable. After that, the attackers switched to Neutrino. AdGholas also distributed different kinds of malware depending on the computer’s location. ProofPoint reports that the Gozi ISFB malware was deployed in Canada, Terdot.A (DELoader) went to Australia, Godzilla-loaded Terdot.A to the United Kingdom, and Gootkit to Spain.
Which sites were used in the AdGholas malvertising campaign?
113 domains were utilized in the attack, including big names like the Daily Mail, Boston Herald, The New York Times, Cosmopolitan, PC Magazine, Urban Dictionary, Makeuseof. com, and many others. It’s disturbing that sites with such large user-bases can be breached by malicious ads for such a long time.
The Growing Threat of Malvertising
The AdGholas is another example of malicious content on otherwise legitimate service. PayPal emails were used to spread the Chthonic trojan virus recently. No Internet space seems safe from the grips of the hackers. Luckily, you can prevent most attacks with the right know-how. Don’t click on suspicious ads, no matter where they appear. Avoid downloading pirated or freeware programs, as they’ll likely invite unwanted content of your PC, like browser hijackers, adware, and viruses. Sites that include pirated games, films, music, or pornography are the natural habitat of malicious internet content. Also, download an anti-virus and anti-malware software if you haven’t already. They’ll improve your cyber-security immensely.