Fake google search rewards pop-up attack

Over the past 3 months, we have been closely monitoring a malicious redirect campaign which automatically redirects the user to random fake reward pop-ups without any user intervention. 

Malicious advertisements

 

Major malware tactics used

  • Device fingerprinting

Malicious behavior 

The threat actor has created a group of several malvertising campaigns that follow the same attack/execution pattern. The creative markup contains the initial first stage malicious JavaScript code hardcoded inside it. When the creative gets executed, the malicious code also gets simultaneously executed in the background without any user intervention. 

This time the first stage malicious JavaScript loader isn’t obfuscated which becomes easy for malware researchers to debug and understand the malicious code flow. They have multiple functions to collect user device information and the bad threat actor creates a second stage unique malicious JavaScript long URL, which automatically redirects and deceives the end user by showing fake Walmart/Google search reward pop-ups. Sometimes, based on the geo-location, the user gets redirected to multiple fake adult dating websites too. 

Sample malicious JavaScript function that collects user timezone location and CPU information. 



 

Malicious landing pages

 





 

Read More

Assessment: Since January 2022, we have seen a huge spike in a malicious ad campaign that does forceful automatic page redirection and deceives the user by looking similar to anti-virus companies like McAfee. Initially, the malicious ad loads and simultaneously executes the heavily obfuscated javascript in the background which contains malicious code that carries out this fake antivirus redirect attack. This is been a particularly advanced redirect attack because it actively looks for anti-malvertising vendors and has affected over 500 domains.

Ad Images:

       

Landing Page Screenshots:

       

Malicious Tactics Used:

  • Obfuscation
  • Device Fingerprinting 
  • Sandbox Detection

Affected Platform: Google Ad Exchange

In one example of this malicious ad, the obfuscated bad javascript code is coming through "https://media[.]aso1[.]net/storage/1/7/9/17990c17291a58844865bdd7f0b818cbe561700d/index[.]html"

When the malicious ad is displayed to user, the ad simultaneously loads and executes "https://media[.]aso1[.]net/storage/1/7/9/17990c17291a58844865bdd7f0b818cbe561700d/index[.]html" in the background. 

The threat actor has heavily obfuscated the malicious code to evade detection and carry out the redirect attack. Thus making it difficult for malware researchers to de-obfuscate and understand the malware behavior. Threat actors always use a wide variety of techniques for obfuscating the malicious code. In our case, they've used the "CryptoJS AES Encryption" technique for obfuscation. 

var decrypted = CryptoJS.AES.decrypt(encrypted, "Secret Passphrase");

CryptoJS supports AES-128, AES-192, and AES-256. It will pick the variant by the size of the key you pass in. If you use a passphrase, then it will generate a 256-bit key. In order to decrypt the malicious code, we may need a decryption key which is present in the code itself. 

The malicious code creates a canvas element and does some hashing process on the executed real time machine and compares the generated hash value with the hard coded list of hash values. They won't carry out the redirect if the hashes match.

If the code finds any anti-malvertising vendors, they try to void the following entities on the current frame and also on the main parent frame which means they don't run these functions when they find any anti-malvertising vendors present on the creative. 

 

Disabled Items:

  • XMLHttpRequest
  • navigator.sendBeacon
  • postMessage
  • Image
  • Request
  • fetch

They have used an "ontouchstart" event that will get triggered once the element is touched which happens only on mobile touch environments. From this, we can understand that the threat actor targets mobile phones. The code contains the "getTimezoneOffset" method which is used to return the time difference between Universal Coordinated Time (UTC) and local time, in minutes. By using this method, they can find the timezone/location of the executed ad.

The malicious code listens to some event listeners and checks if the events are from a real user or from some automated testing environment. The malicious redirect happens only when there is a real click/mousedown/scroll/keydown etc.

Upon favorable technical conditions, the malicious javascript code redirects the user to fake McAfee scanning landing pages with a couple of hops in between. 

We have seen a concerning volume of ads from this malicious campaign across both desktop and mobile devices.

Read More

Assessment: Over the past couple of months, we have seen a spike in bad creatives that are showing pornographic content in some educational websites which will end up in creating a bad user experience for visitors especially for the children who use these websites for learning purposes. Our research team identified this issue and since Q3 2021, we’ve seen 41M blocks impacting 7208 domains.
 

Ad Image:

Assessment: Last week, we observed a malicious ad campaign that uses old traditional clickbait techniques and lures users to click on the advertisements. The user is then taken to a newly registered malicious website that promotes a bitcoin-scam using famous celebrity images and also clones legitimate news websites like "https://www.news.com.au/" and "https://www.forbes.com/news/" on the landing page. We have seen a concerning volume of ads from this campaign across both desktop and mobile devices. 

Affected Platform: Google ADX

Ad Image:

Landing Page Screenshot:

Assessment: Over the past couple of months, we have seen a spike in malicious creatives that are redirecting users to various fake antivirus popups like McAfee, Norton, etc. Our research team identified new signatures, and since January 06, 2022, we’ve seen 8.2 million blocks impacting 2210 domains. When the malicious creative loads, it uses server side redirection technique which makes detection difficult because most of the malicious redirection code executes on the server side rather than being hard coded on creative itself. It takes multiple hops in between to reach the final fake malicious antivirus popup. 

Sample malicious URL/Script used in the redirect chain:


Affected Platform: Appnexus

Redirect Landing Page:

`` `` ``