Hackers Lure in Millions of Victims Through Malware Ridden Advertisements

Close Up of woman hands using mobile phone and laptop computer - victims of malware ridden advertisements

Over the past year, a malvertising group called Tag Barnakle have compromised over 120 ad servers. They sneakily injected malicious code to be able to display fake ads to millions of surfers. Security researchers at Confiant had already uncovered the large malvertising campaign 12-months ago. Despite their disclosure, the hackers were undeterred and even ramped up their activities.

Hackers Fool Millions of Surfers with Fake Ads

Cybersecurity company Confiant first reported the malvertising in April 2020. At the time, the researchers found 60 unpatched ad servers that were compromised by the Tag Barnakle gang. The hacker group placed malicious advertisements on otherwise reliable sites.

Once the gang breaks into a server, they put their payload on it and use browser fingerprinting code to target only very specific visitors. Fingerprinting provides attackers with valuable information about the device or the browser surfers are using, network blocks, and more.

Most of the campaigns lure the victim to the App Store. Next, they point them to an untrustworthy security, safety or VPN app. These apps may steal login information or personal data stored on the victim’s phone. Or they may come with hidden subscription costs or other security issues.

Owners of Ad Servers Were Warned

The Tag Barnakle gang seems to have been focusing on Revive ad servers for some time now. These are ad servers that work on the opensource Revive system. This is one of the more popular ad systems currently in use worldwide. Revive software is mainly used by organizations that want to run their own advertising systems.

Last year, security researchers at Confiant notified the owners of the 60 servers they initially found to have been hacked. Apparently, none of the companies responded. Even worse, it seems ad publishers are not taking security seriously enough, as the number of hacked servers doubled within a year.

In the past year, Confiant have found 120 Revive servers infected in this way, double that of a year earlier. “If the world didn’t know about this threat actor before, they sure know about them now”, said Eliya Stein, a senior security engineer at Confiant, in the report. “Rather than curtail their activity in light of the attention, Tag Barnakle has all but doubled down.”

A Better Business Model

Hacking entire ad servers is a rarity. Usually, criminals buy advertising space under a false name from larger advertising networks and on legitimate sites. Later, the criminals modify their ad to include malicious code. This technique does not require a lot of skills.

Compromising an ad server, on the other hand, requires specific knowledge and a particular skill set. Not many malvertisers have this. Tag Barnakle also appears to have upgraded their toolset. Whereas last year they were happy to just take on desktop traffic, they now target mobile devices as well.

Moreover, by infiltrating servers, rather than buying ad space, the group can display their advertisements to a greater number of people more cheaply. “Likely, they’re also able to boast an ROI that would eclipse their rivals as they don’t need to spend a dime to run ad campaigns.”

Far Larger Reach

Security researchers at Confiant peg the reach of Tag Barnakle in the range of tens if not hundreds of millions of devices. Apparently, this is a conservative estimate and takes into consideration that the gang choose their victims carefully. This likely slows down detection.

“It’s incredibly difficult to calculate the full reach of Tag Barnakle’s malvertisements”, the report says. “The compromises seem to impact some moderately trafficked publishers and plenty of long-tail websites, however, the list includes a sizable amount of ad platforms and media companies that have built their technical stack on Revive.”

Publishers who don’t have the time or manpower to stay on top of security updates are better off with a hosted advertising solution. If open-source software is being used, it’s essential to install patches as soon as they’re released and understand the risks associated with managing ad software.

How to Avoid Malvertising

The best protection against malvertising is a good antivirus program. Antivirus software detects, halts and removes various types of malware so that they cannot access your systems. To stop advertisements altogether, surfers can install adblockers. However, some websites may not function well if you don’t allow advertisements.

Of course, another golden rule is to never install apps you haven’t heard of before or don’t need. And to stay away from any “special deals” a scantily clad girl or guy may have on offer.

Further, always type in links of trusted companies, like your bank, courier or health care provider, directly into the address bar. To do so, stick to browsers that are well known, like Mozilla Firefox, Microsoft Edge, Google Chrome, or Opera. If you’re looking for a privacy-oriented browser, read our article about the best browsers for your Privacy of 2021. For an extra layer of security and privacy, use a reputable VPN.

IT communication specialist
Sandra has many years of experience in the IT and tech sector as a communication specialist. She's also been co-director of a company specializing in IT, editorial services and communications project management. For VPNoverview.com she follows relevant cybercrime and online privacy developments.