Tuesday 11th December 2018

10,000 WordPress websites hacked and leveraged to ‘manipulate the entire online advertising supply chain’

The infection chain comprises a complex network of online publishers, ad resellers, ad networks and malware distributors. The initial hack exploits an alleged vulnerability in Wordpress version 4.7.1.
Jason Smith
by on 1st August 2018

Security research firm Check Point claims to have unveiled a large and complex “malvertising” campaign that involves online publishers, ad networks, ad resellers and upwards of 10,000 hacked WordPress installations.

It claims the incident is a manipulation of the “entire online advertising supply chain” and that ad networks, which serve as an intermediary between advertisers and publishers, are powering the far-reaching attack.

The firm attributes the malicious activity to an attacker dubbed “Master134”.

It claims Master134 is redirecting traffic from the infected WordPress installations to ad network AdsTerra, which is allegedly subsequently reselling the traffic to ad resellers like ExoClick, AdventureFeeds, AdKernel and EvoLeads. The ad resellers are then allegedly selling the traffic to malicious actors responsible for distributing the malware.

Consequently, the malware, which includes ransomware, banking trojans and bots, is potentially being distributed via the websites of upwards of thousands of online publishers.

The alleged involvement of AdsTerra was identified after the security firm realized the initial redirect from Master134’s server points to a domain owned by the ad network: hibids10.com.

The firm also claims all of the infected websites are using version 4.7.1 of WordPress and thus are all vulnerable to the type of attack, a remote code execution (RCE), instigated by Master134. In some cases, the victim’s homepage was also commandeered to redirect traffic to malicious landing pages.

Ad networks bring publishers and advertisers together into an auction system. Publishers submit inventory and advertisers bid, in real-time, to have their creative placed on advertiser’s websites.

The research from Check Point follows a similar revelation from Trend Micro which, in January 2018, reported attackers were serving malicious ads designed to hijack users’ CPU resources via Google’s ad network.

The attack was designed to execute cryptocurrency mining scripts alongside the display of legitimate advertisements. The malware leverage up to 80 percent of users’ CPU resources.