Compromised Ad Servers

An ongoing malvertising campaign tracked as "Tag Barnakle" has been behind the breach of more than 120 ad servers over the past year to sneakily inject code in an attempt to serve malicious advertisements that redirect users to rogue websites, thus exposing victims to scamware or malware.

Unlike other operators who set about their task by infiltrating the ad-tech ecosystem using "convincing personas" to buy space on legitimate websites for running the malicious ads, Tag Barnakle is "able to bypass this initial hurdle completely by going straight for the jugular — mass compromise of ad serving infrastructure," said Confiant security researcher Eliya Stein in a Monday write-up.

Automatic GitHub Backups

The development follows a year after the Tag Barnakle actor was found to have compromised nearly 60 ad servers in April 2020, with the infections primarily targeting an open-source advertising server called Revive.

The latest slew of attacks is no different, although the adversaries appear to have upgraded their tools to target mobile devices as well. "Tag Barnakle is now pushing mobile targeted campaigns, whereas last year they were happy to take on desktop traffic," Stein said.

Compromised Ad Servers

Specifically, the websites that receive an ad through a hacked server carries out client-side fingerprinting to deliver a second-stage JavaScript payload — click tracker ads — when certain checks are satisfied, that then redirect users to malicious websites, aiming to lure the visitors to an app store listing for fake security, safety, or VPN apps, which come with hidden subscription costs or hijack the traffic for other nefarious purposes.

Given that Revive is used by a good number of ad platforms and media companies, Confiant pegs the reach of Tag Barnakle in the range of "tens if not hundreds of millions of devices."

"This is a conservative estimate that takes into consideration the fact that they cookie their victims in order to reveal the payload with low frequency, likely to slow down detection of their presence," Stein said.


Found this article interesting? Follow THN on Facebook, Twitter and LinkedIn to read more exclusive content we post.