Malvertising Campaign Targets Millions of Users
A malvertising campaign dubbed "Tag Barnakle" has infected over 120 advertising servers in the past twelve months, according to security researchers. The goal of the large-scale campaign was to inject malicious code in advertisements served to users. The malicious snippets can redirect users to malicious websites and expose them to further malicious payloads and scams.
The campaign was examined in-depth by security experts working with ad security company Confiant. In its piece on Tag Barnakle, Confiant points out that the majority of malvertising actors use a different approach when it comes to spreading malicious ads. Most bad actors attempt to snake their way into the system and obtain legitimately purchased space to run bad advertisements in.
In contract to this approach, Tag Barnakle doesn't even attempt to play nice and goes for what researchers call "mass compromise" of ad servers and their infrastructure.
The malicious activities of the group behind Tag Barnakle started back in 2020, when around 60 advertising servers were infected. The primary target of the hackers were servers running an open-source ad server solution called Revive.
The difference in this new push from Tag Barnakle is that this time around the bad actors behind it are not just targeting web ads served on computer browsers. The new campaign includes mobile ads as well.
An advertisement originating from an infected server delivers a secondary payload after a fingerprinting check. If certain conditions are met, the victim is redirected to a website that lists fake VPN and other security-focused applications. Those apps either have undisclosed additional costs the user is not made aware of adequately or have capabilities that can directly hijack traffic for a number of other malicious ends.
Confiant believes that because Revive is a relatively popular ad server solution, the number of devices that may have been exposed to the malicious ads is in the tens or even in the hundreds of millions - a staggeringly large number.
The security company even goes so far as to call this a "conservative estimate", as Tag Barnakle first has to drop a cookie on the victim's device, potentially slowing down detection in the process.