Presidents’ Day Campaign Malvertising hits US users

Presidents day

Cyber security company Confiant reports up to 800 million malicious ad impressions recorded over a period of three days.

According to Confiant, a company that tracks bad ads, a massive malware campaign hit US users over the extended weekend of Presidents ‘ Day.

Confident researchers say in a private report shared with ZDNet that they saw as many as 800 million malicious ad impressions as part of this campaign.

The ads would redirect users to a wide range of malicious sites when clicked.

“Landing pages for these types of campaigns tend to rotate, but those we saw were not loaders of malware,” said Jerome Dangu, Confiant CTO, in an interview with ZDNet today. “They were rather more phishing – oriented.”

The ultimate objective was to instruct users to enter their personal and financial information in order to provide forms for all kinds of fake products. These details would be collected by Crooks and then sold or used for other fraudulent operations.

Confiant tracked this group for months as “eGobbler,” a name inspired by Thanksgiving holiday – when researchers first saw the campaigns of this threat actor in action.

“Although these attackers have been around for months, they have concentrated their efforts over the holiday weekend of Presidents ‘ Day, correctly assuming that they will be successful at a time when ad operations teams are offline or less available for security problems,” the company wrote in its report.

The security company says malicious ads by eGobbler have been configured to only appear for users based in the US. This is Confiant’s third malvertising campaign in the last six months aimed at the US.

The first was the ScamClub operation, which was detected in November 2018 and took over 300 million browser sessions over 48 hours to redirect users to scams for adults and gift cards.

The second was the VeryMal group, which also targeted US users, kidnapping more than five million web sessions to redirect Apple users to pages offering downloads of malware.

Although Confiant has not yet officially confirmed this, eGobbler also seems to have targeted Apple users.
Confident researchers say that the eGobbler group used a JavaScript API to look for the GPU chipset type of the user, filtering traffic for custom GPU chipsets Apple A11 or A12.

On the surface, it may appear that the three operations are related based on their Apple – centric targeting preferences, but researchers have not drawn any official conclusions on this issue.

When we asked whether ad blockers are a good solution to prevent bad ads from loading into browsers for people, the Confiant CTO warned that blocking ads may not be the best long – term solution for the health of the Internet.

In other words, the Confiant CTO says that users wouldn’t feel the need to block ads in the first place if ad platforms did a better job of policing their ads.

However, the advertising industry has already begun to examine the imposition of a minimum threshold for the quality of online advertising with the adoption of “better advertising standards,” Dangu argues that advertising platforms should also look at the security of their platforms against criminal abuse.

Mark Funk
Mark Funk is an experienced information security specialist who works with enterprises to mature and improve their enterprise security programs. Previously, he worked as a security news reporter.