What’s worse than a malvertising campaign? One that hides in plain sight and manages to target more than 1 million users each day.

According to The Inquirer, collaboration between security firms Trend Micro and Proofpoint has largely turfed the malvertising campaign known as AdGholas. Still, it’s worth taking a look at some of its finer points, such as the potential impact for enterprises as malvertising goes mainstream.

Out of Sight, Into Networks

As noted by Softpedia, security professionals first discovered AdGholas back in October 2015 when they were investigating two less sophisticated threats called GooNky and VirtualDonna.

Security pros discovered the malvertising campaign was displaying its malicious advertisements on legitimate sites, such as The New York Times, The Verge, PC Mag and Ars Technica, through 22 different ad networks. It was also filtering victim machines to ensure it only infected those that matched specific criteria.

For example, the malware was designed to discriminate against users who might be security researchers. It did so by using information disclosure bugs to discover information about a user’s system when he or she clicked on an infected ad.

Ideal Targets for a Malvertising Campaign

Users who had what the attackers wanted — OEM logos such as Lenovo, Dell or HP on their PC system pages along with Nvidia or ATI drivers installed — were redirected and infected by Angler or Neutrino exploit kits.

Those with customized or aftermarket machines, meanwhile, were steered away from malicious landing pages. The goal: Infect average, nontechnical users who might not recognize the signs of system compromise.

According to SC Magazine, this malvertising campaign also leveraged the highly advanced technique of stenography to hide malicious code in ad images themselves, making it even more difficult for security firms to track down infected sites and ad networks.

No surprise, then, that the attack was hitting more than 1 million client machines per day at its height, infecting 10 to 20 percent of those based on system information. All in all, a big success for the bad guys.

The End User Explosion

While AdGholas fell apart after security companies got wise and warned ad networks, there’s a critical warning here for enterprises: End users are a huge risk. Why? Because nine times out of 10, they have exactly what mega malvertising efforts are looking for: stock PCs that contain a number of key infection points.

Better still, there are thousands connected to the same IP address, which suggests entire departments outfitted with easily compromised desktops that are used by employees who depend on IT experts to ensure their devices remain safe and secure. With staff regularly surfing legitimate websites for both personal and professional use — sites compromised by the likes of AdGholas — 1 million marks per day starts to look conservative.

Divide and Conquer

As noted by TechRepublic, malvertising defense isn’t impossible. The combination of updated PCs, decent ad blockers and anti-exploit programs can significantly reduce the chance of corporate compromise.

It’s also worth taking things a step further. With crooks now targeting stock machines that enterprises purchase by the truckload, even small tweaks to these PCs can weed them out of ideal candidate pools and instead make them potential threats to mega malvertisers.

With a combination of solid end user analytics and responsive IT, enterprises can divide and conquer the potential of malicious ad campaigns.

more from

Controlling the Source: Abusing Source Code Management Systems

For full details on this research, see the X-Force Red whitepaper “Controlling the Source: Abusing Source Code Management Systems”. This material is also being presented at Black Hat USA 2022. Source Code Management (SCM) systems play a vital role within organizations and have been an afterthought in terms of defenses compared to other critical enterprise systems such as Active Directory.…