Assessment:  November was an interesting month for malicious activity.  Redirect campaigns spiked early in the month between 11/8 and 11/15.  During that time, we noted an 800% increase in malicious ads in the system.  The second spike in redirect activity occurred just prior to the Thanksgiving Holiday.  Over 7M bad ads were detected and blocked in the days leading up to the long weekend.

One of the most commonly hijacked creatives this month was creative featuring Purdue University Global.

Fraudsters continue to use a common tactic of rotating malicious content between a variety of cloudfront endpoints to extend the life of the campaign and avoid detection. The malicious ads use various methods, like disabling “unsaved handlers”, to attempt a variety of redirect methods to expose holes in browser sandboxing, making the use of a blacklist critical to stop the behavior.   In many cases, the ad tries to redirect right away, but if it fails, it then creates an input to look for user keyboard actions.  When that is detected, it reacts to it with a redirection.

Sample redirect path:

In terms of the content of the redirect, there's been a significant shift (nearly 200%) in redirects pointing to support scams versus "you've won" creative.  These fraudsters are prompting users to call a number or click for support, either installing malware or looking to charge money.  

Assessment:  Redirect campaign hosting malicious creative on rotating CloudFront domains.  Domains are only live for short periods of time and then dormant for few days before ramping up activity again.  Malicious behavior detected across both iOS and Android devices.

Affected Platforms: RhythmOne >> Sovrn/Sonobi >> Consumable

Assessment:  Over 12 Million ads blocked over the weekend driving users to sites like adhappymday.club.  The campaign was primarily mobile across iOS and Android devices.

Interestingly, this campaign is using one-time-keys to prevent analysts from gaining access to deeper parts of the malicious actors' infrastructure. This results in 404 errors quickly after the use of a link in an attempt to avoid investigations.

Affected Platforms:  Adelphic DSP via Index Exchange

Assessment:  Redirect attack originally detected on Oct 11th is redirecting users to variations of “(today)bestgift(s).space/host/xyz/site”

The attackers leverage their malicious payload via Amazon AWS CDNs using random file names and various methods to evade detection (eg. encoding parameter values, breaking up urls into chucks and recombining). The payload they deliver is highly obfuscated.  The attack first loads an alert that a user has to click to close and then loads a variation of an Walmart Giftcard Sweepstakes page targeting various ISPs.

Affected Platforms:  Pubmatic, Index, SOVRN

Assessment:  Quick moving redirect campaign targeting mobile and desktop devices and impacting over 20% of ADLs customers in 2 days.  Fraudsters hijacked a Dremel ad and used it to deliver the malicious payload.  Infected ads seem to have tapered off as of Monday.

Affected Platforms:  RythmnOne