Compromised OpenX Ad Servers Lead Users to Malware

A gang called "BlackAdvertsPro" sells traffic to cybercrooks that run exploit sites

  Scareware called Smart Fortress 2012
Sophos researchers discovered that a number of OpenX ad servers were compromised and altered to redirect users to sites that push dangerous pieces of malware.

Sophos researchers discovered that a number of OpenX ad servers were compromised and altered to redirect users to sites that push dangerous pieces of malware.

Experts found that when the OpenX ad content is requested by the browser, an iframe is also loaded, executing a malicious JavaScript identified as Troj/JSRedir-EF.

The iframe added by the script loads content from a traffic directing server (TDS), controlled by a group called BlackAdvertsPro, which appears to be specializing in compromising websites in order to direct traffic to their own TDS. This traffic can be worth a lot of money if sold to crooks who run exploit sites.

In one instance, the traffic was routed to an exploit site that served a piece of scareware called Smart Fortress 2012 (Mal/ExpJS-AF) by exploiting Java vulnerabilities.

Interestingly, the BlackAdvertsPro crew seems to be checking IP addresses to ensure that each visitor is directed only once to the exploit sites.

“This supports the theory that they are selling the traffic to others running the exploit sites. (Attackers have no interest in paying for the same machine getting redirected to their exploit site multiple times.)” Principal Virus Researcher Fraser Howard wrote.

Ad content poisoning is a very popular technique among cybercriminals because it allows them to control large amounts of traffic. Of course, as many administrators and security enthusiasts are aware, traffic, especially high volumes, is worth a lot on the underground markets.

“The bottom line for site admins is that *any* content that their site loads from a 3rd party presents a risk. If the 3rd party gets hacked, then it is your site that ends up serving up malicious code, and redirecting your users to malicious sites,” Howard concludes.

Note. My Twitter account has been erroneously suspended. While this is sorted out, you can contact me via my author profile.

Comments