Massive Malvertising Operation Uncovered that Delivers Traffic to Rig Exploit Kit

For many years cybercriminals have been sneaking malicious adverts onto legitimate websites through advertising networks.

Publishers – website owners that sell space on their sites for advertisements – often use ad networks to connect them with advertisers, who bid for the space. Resellers are also involved in the advertising chain and resell traffic generated through the ad networks to other advertisers.

If a malicious advert makes it past the ad network checks, it can be displayed to huge numbers of visitors and could be placed on thousands of websites simultaneously. The malicious adverts direct users to phishing websites, scam sites, and sites hosting exploit kits where drive-by downloads of malware take place.

Malicious adverts – or malvertising – is commonplace, although ad networks are now incorporating more checks on advertisers that make it harder for malicious adverts to be introduced. However, many malicious adverts make it past these controls despite the best efforts of the ad networks.

Massive Malvertising Campaign Uncovered

Researchers at Check Point have recently uncovered a massive malvertising campaign where a threat actor is posing as a legitimate publisher and is offering advertising space on more than 20,000 websites. Those websites are not owned by the publisher. They are sites that have been compromised. Most of the sites use WordPress and have not been updated, allowing WordPress vulnerabilities to be exploited and access to the sites to be gained without the owners’ knowledge.

The traffic to those sites is sold on by the ad network to resellers, who sell that traffic to cybercriminals who use malicious adverts to direct users to scam sites and exploit kits.

Check Point researchers were investigating a campaign that was redirecting users to a website hosting the Rig exploit kit. Further research into the source of the traffic revealed users were being redirected through JavaScript on a remote server, with the traffic seemingly coming from compromised websites. The JavaScript redirected users to an advertising page owned by the AdsTerra ad network. That page redirected users to the Rig exploit kit where malware was downloaded.

Check Point researchers discovered that more than 10,000 websites had been compromised by this single threat actor. The majority of the compromised sites were running the outdated 4.7.1 WordPress version, which is vulnerable to remote code execution and is how the sites were likely compromised. PUPs were also being used to generate traffic.

The threat actor, called Master134, sells ad space on the sites which is purchased by a wide range of advertisers. In theory, the space could be used by threat actors and legitimate businesses alike, yet it appeared to almost exclusively be bought by cybercriminal groups that run exploit kits.

Master134 is also using other advertising networks and is indirectly selling traffic to threat actors via resellers. Somehow the entire ad ecosystem is being hijacked. The scale of the operation suggests that the ad network may be aware of the scam, yet is turning a blind eye to the operation.

“Threat actors never cease to look for new techniques to spread their attack campaigns, and do not hesitate to utilize legitimate means to do so. However, when legitimate online advertising companies are found at the heart of a scheme, connecting threat actors and enabling the distribution of malicious content worldwide, we can’t help but wonder – is the online advertising industry responsible for the public’s safety?” Wrote the Checkpoint researchers. “Indeed, how can we be certain that the advertisement we encounter while visiting legitimate websites are not meant to harm us?”

Author: Richard Anderson

Richard Anderson is the Editor-in-Chief of