28 Fake Ad Agencies Used to Spread Malicious Ads

Malicious advertising, which cybercriminals use to redirect users to various harmful and fraudulent websites, has long been a major problem. However, last year this method of delivering malware and luring victims to fake tech support sites was used especially often. Part of the responsibility for this lies with the Zirconium campaign, during which more than 1,000,000 placements of dangerous ads were purchased.

Experts from Confiant reported on the large-scale Zirconium operation, which began in February 2017. According to researchers, the attackers created a network of 28 fake advertising agencies and gradually managed to establish relationships with major ad platforms, earning a good reputation. The criminals even went so far as to create a website for each non-existent company, invent fake executives and developers, and set up fake social media profiles for them, including on LinkedIn and Twitter.

Fake Executives and Companies

Once the fake firms were fully operational, the Zirconium campaign operators began using them to buy ad space for malicious ads on regular popular websites. The attackers used a technique called “forced redirects” (also known as tab-under), where the victim was first redirected to an intermediate domain that analyzed and sorted incoming traffic, and then sent the user to another domain, also controlled by the Zirconium operators. Where the victim ended up next depended on who the attackers sold the traffic to. The redirect chain could lead to a fake antivirus or tech support site, a page offering to install malware disguised as a Flash Player update, and so on.

How the Zirconium Scheme Worked

Confiant researchers wrote that at the peak of the Zirconium operation, the ads purchased by the group reached 62% of websites that monetize through advertising each week. According to their estimates, about 2.5 million users were affected by the attackers, with 95% of the victims located in the United States. Some examples of the pages victims landed on are shown below.

Focus on Desktop Browsers

Interestingly, the Zirconium operators completely ignored mobile traffic—they were only interested in desktop browsers. The criminals did not differentiate between operating systems, targeting users of Windows, Linux, and macOS alike.

Of the 28 fake ad agencies created by the attackers, only 20 were actually used in the Zirconium operation, but Confiant researchers published a full list of the fake firms, including the “dormant” ones. However, the experts declined to name the 16 ad platforms that worked with the criminals.

Why Exploit Kits Were Not Used

In conclusion, Confiant analysts noted an interesting fact: the Zirconium campaign was almost never used to redirect traffic to exploit kits, as was common in the past. According to the experts, this is because almost all modern browsers have stopped using Flash by default and have become much better protected, making the classic exploit kit delivery scheme ineffective. It’s worth noting that browser developers are indeed doing everything they can to combat cybercrime. For example, the recently released Chrome 64 protects users from “forced redirects” exploited by Zirconium.