Revive ad servers being hacked to distribute malicious ads

The Tag Barnakle malvertising group is hacking into Revive ad servers to inject and deliver malicious advertisements on unwary visitors.

Most online publishers use hosted ad server platforms such as Google Ad Manager to deliver their ads, but some still prefer to use self-hosted ad serving platforms to have greater control and flexibility on how they display their ads.

One open-source self-hosted platform that has been around for the past ten years is called the Revive ad server.

Just like any application, Revive has had its share of vulnerabilities that can be used to inject malicious advertisements into web sites that utilize the ad server. 

In a new report by advertising security firm Confiant, we can see how one malvertiser known as Tag Barnakle is mass-compromising Revive ad servers to inject their own code into a publisher's existing advertising campaigns.

"In recent months, we have seen a wave of malvertisements that are attached to Revive creatives spanning dozens of instances of ad servers, including those owned and operated by publishers and ad networks," Confiant security researcher Eliya Stein explained in a report.

When compromising servers, Tag Barnakle will modify existing advertising creatives used by the publisher and append their own malicious JavaScript code to them.

This malicious code will detect when Firebug or a browser's developer console is open, and if not, perform a redirect to malicious sites that are promoting fake Adobe Flash updates.

Stein told BleepingComputer that these fake Adobe Flash player updates install the Shalyer Trojan or other botnet bundlers onto macOS systems.

For Windows users, the sample shared with BleepingComputer installs an adware bundle such as InstallCore that is known to infect victims with ransomware, information-stealing Trojans, unwanted browser extensions, and other malware.

Compromised ad servers have a long reach

Confiant has seen Tag Barnakle activity on over 360 web sites, but their reach is far larger due to the software being used by smaller real-time bidding ad serving providers.

In one compromised RTB ad provider, Confiant saw up to 1.25MM malicious ad impressions being pushed out in a single day.

"If we take a look at the volumes behind just one of the compromised RTB ad servers — we see spikes of up to 1.25MM affected ad impressions in a single day. For context, Tag Barnakle has compromised ~60 ad servers in total," Confiant stated in their report.

While it may be tempting to utilize your own ad servers, it also opens a publisher to the risk of potential hacks that allow attackers to inject malicious ads.

Therefore, only use an open-source ad server if you have the time and workforce to stay on top of security updates and be able to install them quickly as they are released.

If you are a small company with limited staff, it may be wiser to stick with a hosted solution to avoid these headaches and the risks involved.

Comments are closed.