Three casino websites were the decoys in for one of the largest malvertising attacks seen to date.
Researchers at Malwarebytes Labs have identified a campaign that’s been active for at least three weeks, preying on visitors of sketchy websites offering things like free downloads of copyrighted movies, pirated live streams, pirated software and more. Those websites host malicious ads, which then redirect the victim to one of the casino websites (pennyslot.net, playcasino77.com and onlinecasinofun.org).
From there, the sites would silently load malicious iframes from disposable domains which ultimately led to the Angler exploit kit. In one case, the casino website was a direct gateway to Angler EK.
Further, the malvertising campaign used a surprising 30 or more different pieces of malware to infect victims. Researchers found the infamous CryptoWall ransomware as well as the Bunitu Trojan.
The impact is widespread.
“In all likelihood, a very large number of people were exposed to malware because of this campaign,” said Jerome Segura, senior security researcher at Malwarebytes Labs, in a blog. “When looking at the number of visitors to those websites, we see a troubling pattern. Before September, the traffic for all three combined was almost non-existent, but by mid-October, traffic spiked through the roof for a total of more than 1 million monthly visits.”
Because the campaign affected dubious publishers likely to turn a blind eye to ‘advertising issues’ and visitors knowing they were consuming illegal content, there was little reason for anybody to report the incident. The ad networks were almost all registered via Domains By Proxy LLC, meaning no information was available about the registrant.
“In fact, each of these malvertising attacks taken on its own does not stand out, but realizing that they were all connected gives us the bigger picture in how large of an operation this was,” Segura said.
But, they were all through GoDaddy, and on the same ASN: AS15169; this leads the researchers to believe they were actually all related to one another. Going through 10 ad domains, AdCash was one of the advertising networks affected—and it’s through this outlet that Malwarebytes was able to report the campaign.
A look at some of the stats behind those ad domains shows some staggering numbers. According to SimilarWeb, a service that estimates website traffic and provides various analytics, these ad networks generated over 2 billion visits in October.
“To be clear, this is not how many people were exposed to malvertising since this only affected a few particular rogue campaigns, and not all campaigns running on these networks,” Segura added.
Looking at the stats of the casino sites that acted as an intermediary for the exploit kit is interesting as well. Interestingly, before September, the traffic on those three domains was quasi-nonexistent; but, once the campaign started, traffic spiked through the roof for a combined total of more than 1 million visits.
Photo © monamis