Legal Advertising Technologies Helped To Spread Trojans

Legal Advertising Technologies Helped To Spread Trojans

Would you share this article with others to help inform them?

A group of cybercriminals has created 28 fake marketing agencies to buy advertising from websites and drive traffic to malicious resources. According to experts' estimates, in 2017 they showed their rogue ads more than a billion times, and the number of clicks on these ads exceeded 2.5 million.

Please continue reading below.

The criminal structure was discovered by the Confident IB, who named it Zirconium.

The first agencies were registered in February 2017. Attackers created a separate website for each fake ad agency. They used stock photos to establish profiles of managers in social networks. Crooks also automated publication of news posts in social media. Each agency worked on the basis of its own, independent IT infrastructure, which included SSL-servers, hosting facilities, an advertising engine for displaying banners.

The goal of the initial stage was to lull possible suspicions of the large advertising platforms with which the scammers interacted in the second stage of the operation.

"Agencies" bought banner ads from legitimate sites. Then, through the chain of automatic redirects, they took visitors to the malicious sites. Special JavaScript was involved to move the user to a new page without any action on his part.

The first website that opened after users clicked on the banner served as a gateway and sent the visitor to an intermediate resource to create a fingerprint. This procedure allows you to analyze traffic and break it into segments in order to increase the effectiveness of advertising.

Then the user got onto another “gasket” website, which distributed the audience between the landing pages. Final destination websites usually showed fake alerts about the allegedly outdated Flash Player, and a proposal to install some software. All this led to the infection of the computer with various malware including Trojans and even ransomware. Victims ended up losing their data and money.

Fraudsters sought to improve the effectiveness of their campaigns with the help of better targeting - another feature that makes Zirconium similar to classic marketing agencies.

It is noteworthy that Zirconium often did not own the pages on which the victim eventually ended up. Like traditional agencies, attackers resold traffic, earning commissions.

The fraudulent network bought approximately 60% of all online advertising spots offered by major ad networks on weekly basis. Almost all the victims who got tricked by Zirconium rogue ads live in the US.

Mobile devices remained safe, all advertising campaigns focused on desktop computers and laptops. The operating system did not matter, criminals were attacking Windows, Mac, Linux and Chrome OS.

Working with legitimate advertising platforms and successfully camouflaging under numerous small agencies helped criminals stay unnoticed for most of 2017. In October, cybercriminals began using fingerprint scripts more actively, which attracted the attention of security experts.

Security analysts studied the structure of the fake advertising conglomerate and found offshore companies with Seychelles addresses among its owners. Many of these Seychelles companies have been already known for other fraudulent schemes like semi-legal Bitcoin exchanges, financial pyramids, etc. One organization turned out to be connected with the well-known Bitcoin exchange BTC-e.com, which was closed by the FBI in the summer of 2017.

Note: Some of the names, addresses, email addresses and telephone numbers in email samples on this website may have been impersonated.

Please share what you know or ask a question about this article by leaving a comment below. Also, check the comment section below for additional information, if there is any.

Remember to forward suspicious, malicious, or phishing email messages to us at the following email address: info@onlinethreatalerts.com

Also, report missing persons, scams, untrustworthy, or fraudulent websites to us. Tell us why you consider the websites untrustworthy or fraudulent.

If you want to quickly find answers to your questions, use our search engine.

You can help maintain Online Threat Alerts by paying a service fee. Click here to make payment.

Comments, Questions, Answers, or Reviews
(Total: 0)

To help protect your privacy, please do not post or remove, your full name, telephone number, email address, username, password, account number, credit card information, home address or other sensitive information in or from your comments, questions, or reviews. Also, anonymous posts cannot be deleted or edited, and when you make a post, we will use your IP address to display your approximate location to other users.

Please continue reading below.

Write Your Comment, Question, Answer, or Review
Write your comment, question or review in the box below to share what you know or to get answers. Please revisit after an hour or more to view reponses or answers to you questions.

Your comment, question or review will be posted as an anonymous user because you are not signed in. Sign-in.