Bits and Splits - stock.adobe.co
Inside 'Master134': ExoClick tied to previous malvertising campaigns
Online ad network ExoClick denied any involvement in the Master134 campaign, but the company has ties to similar malvertising threats.
ExoClick bills itself as one of the largest and most successful online advertising networks, driving 7 billion ad impressions a day. It's also been connected to multiple malvertising incidents, including the "Master134" campaign last year.
Based in Barcelona, Spain, the company provides online advertising services to publishers and advertisers. ExoClick is also arguably the largest and most well known of the online ad companies cited in the Master134 report; W3Techs listed the company as the fifth most widely used online ad network in the world as of April 2019.
Despite its credentials, ExoClick was implicated in the Check Point Research report on the Master134 campaign, titled "A Malvertising Campaign of Secrets and Lies." The research group, part of Check Point Software Technologies, claimed a threat actor operating a remote server at an IP address of 134.249.116.78 was hijacking traffic from more than 10,000 vulnerable WordPress sites. The hijacked traffic was purchased by Cyprus-based ad network Adsterra, which then sold the traffic to ad network resellers who sold the traffic to threat actors operating malicious domains.
ExoClick was named as one of three resellers in the Master134 chain. The company denied any direct involvement in the Malvertising campaign. The remaining two resellers, EvoLeads and AdventureFeeds, made no denials or public acknowledgements of the report.
While Check Point didn't outright accuse the resellers of wrongdoings, the research team had strong words for the companies. "Although we would like to believe that the Resellers that purchase Master134's ad space from Adsterra are acting in good faith, unaware of Master134's malicious intentions," the report reads, "an examination of the purchases from Adsterra showed that somehow, space offered by Master134 always ended up in the hands of cybercriminals, and thus enables the infection chain to be completed."
ExoClick suspended Adsterra from its network to fully investigate the matter, according to Giles Hirst, head of communications at ExoClick.
"ExoClick takes security very seriously, and we have a compliance team and a security team working hard to keep the bad actors out of our network," he said.
Lotem FinkelsteenThreat intelligence analysis team leader, Check Point Research
Hirst also claimed not to understand how the Master134 scheme worked and what the endgame was for companies involved.
"The article is quite inflammatory, suggesting ExoClick benefits from this and is somehow in partnership with those people," Hirst said. "Those are pretty serious allegations, and we fail to identify exactly how it is we would actually benefit from this."
Check Point's report explained that one party infected websites and redirected visitors to the ad companies, generating revenue for both companies and Master134, while the other malicious parties received a lucrative stream of potential infections for their exploit kits.
"I think the companies are fully aware that the traffic is suspicious," said Lotem Finkelsteen, Check Point Research's threat intelligence analysis team leader and one of the contributors to the Master134 report. "They may not know that they're connecting threat actors with victims, but they're intentionally not looking at the traffic because they're making money off of it, and if they do look and have to remove it, it'll harm the business."
According to Check Point's report, most of the ad networks implicated in Master134 used alias domains that were different than their corporate URLs; for example, EvoLeads used a malicious domain called bestabid.com. ExoClick was different -- Check Point researchers say the Master134 traffic was moved through the exoclick.com domain. This wasn't the first time ExoClick's corporate domains were flagged by security researchers for malicious redirections.
ExoClick's past
ExoClick, like Adsterra and other companies in this investigation, has been associated with previous malvertising campaigns. A Malwarebytes threat report from 2014 on malvertising campaigns on The Pirate Bay website cites exoclick.com as one of the advertising domains that redirected traffic to the Angler exploit kit. An ExoClick domain, syndication.exoclick.com, was also cited in the same 2017 FireEye report that named Adsterra's terraclicks.com domain as part of a campaign to redirect traffic to the Magnitude exploit kit [see part two of this series for more].
In that report, FireEye described a technique known as "domain shadowing" where threat actors create a malicious subdomain from a legitimate corporate domain. "It is not uncommon for popular ad servers to redirect to affiliate networks -- organizations that forward traffic to servers supporting other malicious domains, which are referred to as 'Cushion Servers' or 'Shadow Servers,'" said Zain Gardezi, vulnerability researcher at FireEye. "Some campaigns use the domain shadowing technique to camouflage rogue ad servers as legitimate advertisers."
The syndication.exoclick.com domain was one of the "rogue ad subdomains in this campaign" that used the domain shadowing technique, according to the report. In other words, FireEye believed the domain was created and controlled by threats actors and not the ad network. Gardezi said the IP address he observed for syndication.exoclick.com at the time of the report was different than the IP addresses for the primary ExoClick domain, which suggested the "rogue ad server" was operated by a third-party threat actor and not ExoClick itself.
The IP address FireEye researchers recorded for syndication.exoclick.com domain in 2017 was 64.111.199.222, according to Gardezi. That address belongs to a hosting provider known as ISPrime Inc. in Weehawken, N.J. Meanwhile, ExoClick's primary domain points to hosting provider OVH, with additional IP addresses provided by Google Cloud and Leaseweb Global B.V. in Amsterdam.
However, SearchSecurity discovered information that indicates ISPrime was not being used by third-party threat actors and is instead one of ExoClick's corporate hosting providers. The information includes a list of customers on ISPrime's homepage, which cites ExoClick, as well as an ExoClick privacy policy page for the company's NeverBlock anti-ad blocking tool. It names OVH, Google, Leaseweb Global and ISPrime as third-party hosting services. Gardezi reviewed the information and confirmed it directly connects ExoClick, and not threat actors using domain shadowing, to the syndication URL.
If ExoClick was, in fact, operating the syndication.exoclick.com domain on its own during the Magnitude exploit kit campaign, then the Master134 campaign would mark the second time in two years an ExoClick corporate domain was used to funnel traffic to exploit kits.
ExoClick was cited in a third exploit kit campaign as well. In March 2017, a Malwarebytes report revealed ExoClick's ad network was used to redirect traffic to the RIG exploit kit, though researchers attributed the activity to a third-party advertiser. Malwarebytes noted ExoClick "was informed and took action to stop the fraudulent advertiser."
By December 2017, Malwarebytes decided it had seen enough of ExoClick; the security vendor announced it had blocked two of the company's ad servers -- exosrv.com and exdynsrv.com -- because of the vast volume of redirects to scam sites as well as malicious domains. "Ads.exosrv[.]com has become our top malicious URL detection, totaling over 4 million blocks in one day," Malwarebytes said.
However, three days later, Malwarebytes updated its post with a statement from ExoClick and removed the blocks on the company's ad servers. ExoClick's statement read in part: "Where malwares and other forms of malvertising are detected through our internal tools we take down the offending ad fast within 15 minutes and effectively ban the advertiser or individual(s) responsible. We are one of the quickest in the industry to isolate and kill any infection and have strict policies against this."
Malwarebytes Labs sent a statement to SearchSecurity explaining why it reversed the block on the ExoClick's ad servers. "There were a couple of reasons why we lifted the block on those 2 ExoClick domains," the statement read. "One of them being that when an ad network takes action to remediate malvertising, we always review other cases and evaluate if the block should still be maintained or lifted.
"The other reason is that we were also able to apply more precise blocks in order to protect our users. Indeed, there are many levels of redirections from the initial ad call to the final ad impression (or malvertising) being served. If we are able to pinpoint within that chain where malicious activity is occurring, then this is what we will block."
Who's to blame?
Malicious actors frequently pose as legitimate advertisers and publishers to take advantage of ad networks such as ExoClick; the above examples could be attributed to a combination of bad luck and an especially large amount of interest in the company from cybercriminals.
However, Master134 is different from earlier malvertising campaigns; in this case, ExoClick wasn't accused of serving ads containing malicious code. Instead, Check Point claims ExoClick was moving suspicious traffic from Adsterra, which has a troubled history, through its own corporate domain and reselling the traffic to specific threat actors hosting known exploit kits on their domains.
ExoClick did not respond to request for comment on how it missed signs of malicious activity and accusations of past involvement in redirection and malvertising schemes.
Read part five of our six-part series on the Master134 campaign and malvertising threats.