A
well known malvertising gang famous for its use of the
fingerprinting technique and other evasion tricks to bypass security checks has been ramping up its activity against many different ad platforms to push malware via top websites.
The setup for these malvertising attacks relies on a combination of techniques that start with the fraudulent advertiser choosing a victim, typically a legitimate website in the retail, or legal business. The goal is to use someone else’s identity to appear legitimate when approaching ad networks.
The ad banners are designed professionally by the miscreants and then hosted along with the ad code on shadowed domains. The owners of said domains are completely unaware that a subdomain has been created on their hosting platform, let alone that it is serving malicious ads.
Here is the interesting part though. The ads are typically clean of any malware for anyone trying to manually verify them. The JavaScript code looks benign no matter how many times you refresh the page or rotate IP address. This is because the rogue version of the JavaScript is served conditionally, with the proper referer, user-agent, sometimes even your screen resolution, and several other parameters.
