A massive malvertising operation bought an estimated 1 billion ad views in 2017 under the guise of 28 different fake ad agencies, in what a new report is calling the largest operation of its kind last year.
The malvertising juggernaut – a sort of malicious conglomerate, if you will – reached 62 percent of ad-monetized websites on a weekly basis, notes the report, written by Jerome Dangu, cofounder and CTO of online ad security company Confiant, which dubbed the actor the Zirconium group.
It also reached every single ad network it seems, including Engage:BDR and DoubleClick.
Zirconium’s primary method of attack in 2017 was forced redirects, whereby users who visit a website compromised by malvertisements are involuntarily redirected to one or more malicious websites, often for the purpose of affiliate fraud or possibly malware infection via fake updates and scareware tactics.
By having more than two dozen fake ad agencies posing as a front, Zirconium has been able to conduct large volumes of business with legitimate ad platforms in piecemeal fashion, thus avoiding suspicion while also ensuring continued business in the event one of these phony agencies is ever exposed.
Dangu reports that Zirconium took painstaking efforts to make sure each of its fraudulent ad agencies looks like a legitimate independent business, distinct from all the others. Indeed, each faux agency has its own unique online and social media presence that includes fake CEO listings on LinkedIn, stock business photos, social media posts (generated by bots), and unique online content. Moreover, each one is operated via separate, independent technical infrastructures and uses unique ad-serving code.
Most of these fake branded companies were created in February 2017 and subsequently launched in March and April of that year. Eight of the 28 phony brands remain unused – likely waiting to be activated as the other agencies peter out or get banned.
“Zirconium was extremely successful at replicating the ‘small business’ ad agency style. The attackers successfully built direct business relationships with as many as 16 ad platforms,” Dangu reports. “Leveraging a swarm of fake ad agencies gives a strong justification for running custom ad servers, a critical part of the scheme because it allows for JavaScript execution on websites running ads.”
According to Confiant, the scheme typically works as follows: When web users visit a website plagued with Zirconum malvertising, the redirection chain commences via the online domain for the mobile ad platform Beginads.com. This domain acts as a central gateway and traffic direction system to reroute visitors to a Zirconium site called MyAdsBro, through which other black hats can also direct traffic, for a fee. Visitors are next redirected to a landing page, which is not operated by Zirconium. Instead, the actors reportedly resell the redirected traffic to various affiliate marketing platforms.
In an email to The Register, Confiant chief technology officer and cofounder Jerome Dangu said his biz came up with name Zirconium as a riff on the diamond-themed name of the shell company at the heart of the campaign.
“Typical established malvertising groups, like the Kovter Group, operate sporadically, running highly evasive campaigns for a few days and then disappearing,” he said. “Zirconium was live for the whole year, running campaigns on multiple tier-one ad platforms at once.”
Dangu notes that as of October 2017, the Zirconium actors began employing fingerprinting techniques to collect data on users’ browsers and devices in order to avoid redirecting any machines that are likely used by security professionals.
Confiant also reports that the legal entity representing Zirconium’s interests is Cape Diamond LP, a shell company incorporated in Scotland, with partners in the Seychelles (Damitra Group LTD and Lamen Business LTD). The cybersecurity firm notes that the offshore companies are known to be “extensively involved in online fraud activities, some of which [are] cryptocurrency-related.”
“The Zirconium business model is capital intensive and it makes sense that they would need to shield themselves behind an opaque offshore corporate structure,” Dangu concludes.
At some point on Tuesday or shortly thereafter, Google is scheduled to release Chrome 64 to its stable channel, bringing with it an unorthodox defense against the Zirconium group’s favored attack technique “forced redirects,” in which ads make browsers open unwanted websites.
“Under the hood, [the attack technique] is as simple as top.window.location = 'http://malicious...' but there are variations like an <a target="_top">link that gets clicked automatically in JavaScript,” explained Dangu. “To protect this code from detection, malvertisers rely heavily on evasion techniques like JavaScript fingerprinting.”
The goal of fingerprinting is to separate potential victims from security researchers and bots and other automated systems trying to detect malicious activity.
Malvertising is getting worse. “Chrome’s change is a direct reaction to the deterioration of the security environment for ad monetized websites,” he said.
