back to article How hack on 10,000 WordPress sites was used to launch an epic malvertising campaign

Security researchers at Check Point have lifted the lid on the infrastructure and methods of an enormous "malvertising" and banking trojan campaign. The operation delivered malicious adverts to millions worldwide, slinging all manner of nasties including crypto-miners, ransomware and banking trojans. The researchers told The …

  1. tiggity Silver badge

    For how many years?

    .. have people being saying how the "ad industry" was just totally dodgy .. Most people I know that have adblock software are using it as malware protection because we all know the ad system is used to sling Trojans etc. Blocking / script barring as PC protection has long been necessary as malware has been ad dispensed for ages.

    1. John Brown (no body) Silver badge

      Re: For how many years?

      "Most people I know that have adblock software are using it as malware protection"

      This! As I just posted the other day, the El Reg domain is white listed in my uBlock and NoScript add-ons, but 3rd party sites are not white listed. I see no ads on El Reg. If El Reg can serve their own ads, not only will I see them, but they will be able to control (and be responsible for) the ads we see.

    2. Version 1.0 Silver badge

      Re: For how many years?

      Our local newspaper doesn't allow us to read it because I installed an adblocker on every browser - the wife figured this out and turned it off. An hour later she calls me, "There a box on the screen saying that we're infected with 5,682 different viruses and it will cost $99 to clear them from the computer" - luckily she just panicked and pull the plug out of the wall so all I had to do was clear the cache and turn the adblocker back on when I got home.

  2. Sgt_Oddball
    Paris Hilton

    Next you'll be telling us...

    That flash adverts are perfrctly fine and that the honest adSlingers only have our best intentions at heart...

  3. EJ

    Security researchers at Check Point should quit messing around and fix their incredibly buggy security blades that charge arms and legs for.

    1. iron Silver badge

      Because obviously they're exactly the same team that should be doing that. Its just not possible for a company to have more than one department that do different things, no.

      1. EJ

        Resource allocation. Invest in the product, which sorely needs the support and attention.

  4. Halcin


    Preaching to the choir.

    It's not until stories like this make it to the front page of "mainstream" media, will anything happen. And considering we're 10 years and counting - I an't holding my breath.

    1. Anonymous Coward
      Anonymous Coward

      Re: Meh

      And all the sites asking me to disable my adblocker can go to hell!

  5. GnuTzu

    Blocked for an Entire Organization

    For the most part, nobody in the organization complains about this. Go figure. But, there was one news site, Forbes, that refused content when detecting blocked ads, and some people actually asked that it be allowed--which we didn't do. Last I checked, Forbes works a little differently now.

    How to Fix It:

    If you want to use ads to monetize content, it's either going to take an ad network or other vehicle that'll take responsibility for any infections. And, that might take being able to sue those who infect people by using tainted ad providers. But, I'm not holding out for this.

    1. Anonymous Coward
      Anonymous Coward

      Re: Blocked for an Entire Organization

      How to Fix It 2:

      Develop a proper micropayment architecture that avoids the need for shitty adverts and casts web-marketeers into a dark, silent abyss where they belong for all time.

      The actual "value per view" for an ad-funded website is trivial, and they probably could charge most reader's more than we "pay" through adverts. Unfortunately the dinosaurs (like daily news papers) are obsessed with wildly expensive monthly or annual subscriptions, and other websites refuse to understand that most users don't want to register their details individually webshite by webshite.

    2. JohnFen

      Re: Blocked for an Entire Organization

      "an ad network or other vehicle that'll take responsibility for any infections"

      You may as well wish for a unicorn -- that's just as likely to turn up. Besides, it's the ad networks that are the primary problem. I'll never trust an ad from a network. I have no problem trusting ads that are hosted by the site I'm viewing, have no connection to an ad network of any sort, and contains no javascript or other code.

  6. SImon Hobson Bronze badge

    Reading between the lines, I assume that the ad brokers simply didn't screen the ads they were pushing - hence allowing the primary scum to use them to push the malware out. So the ad slingers are secondary scum - not actually producing the malware themselves, but taking money to do so for 3rd parties.

    So we have a system where web site owners rely on third parties to provide "content" in the form of adverts in return for a share of the proceeds. OK, nothing fundamentally wrong with that IMO - it's just what every newspaper and magazine does in order to stay afloat. But these 3rd parties are not smart enough to filter out malware before serving it, presumably trusting their customers (the advert providers) who presumably "pinky swear" not to stuff anything bad in.

    TL;DR version - system relying on trust fails when some actors are not trustworthy.

    What could possibly go wrong there.

    Icon says it all.

    1. Notas Badoff

      Trench warfare

      Here I was thinking that "ad brokers" were basically "ad aggregators", but that's not really true. They are "hole aggregators", aiming to fill the holes on all those web pages. When they run out of jewels and gems, they fill the holes with turds, though wrapped in toilet paper sometimes. They turn your browser into a latrine. You knew this...

  7. Rob D.

    Lawyering up

    > Check Point said the criminals made a laughing stock of the legitimate online advertising ecosystem.

    The crims are really a bit late to that particular party. But at least they are making some money out of it.

    None of this changes until someone starts suing the legitimate parts of the chain for actual damage incurred such as from a ransomware infection(*). IANAL - anyone know how that would/could/should work? Can a web site that serves up 3rd party malware legitimately be held responsible (in any jusrisdiction)?

    I'm currently retaining the legal representation of Messrs. N. O'script, P. Badger and U. Block.

    1. GnuTzu

      Re: Lawyering up

      "legal representation of Messrs. N. O'script, P. Badger and U. Block."

      Personally, I like using P. Badger and Ghostery in tandem (along with the script blockers), I think they make a great team.

  8. Mage Silver badge

    script blocking

    by DEFAULT, EVERY browser should block every 3rd party cookie and javascript.

    Some domains should be always blacklisted.

    User can whitelist, once off.

    Why do people have to install noScript (used to use it), uMatrix (current on Firefox on all my platforms), uBlock etc?

    Far more effective than AV SW and speeds up rather than slows computer use!

  9. Maelstorm Bronze badge

    Waiting for a response...

    "El Reg invited AdsTerra, AdKernel, AdventureFeeds and EvoLeads to comment. We'll update this story as and when we get a response."

    And there's some more to add to the DNS block list. I need a full list so I can block all of them. Ad block software not needed, and it's not detectable since it's running on my own server.

    1. Stuart 22

      Re: Waiting for a response...

      "And there's some more to add to the DNS block list. I need a full list so I can block all of them. Ad block software not needed, and it's not detectable since it's running on my own server."

      I use pi-hole and it is sometimes detected - which isn't that difficult with a simple test. Most sensible sites realise that if I'm excluding ads then I'm hardly likely to click on one so there is no point in getting emotional about it.

      As for the few others do they seriously expect me to turn it off and reconfigure my DHCP just to see their site? Dream on ...

  10. Anonymous Coward
    Anonymous Coward

    It's incredibly difficult

    The exact content users see depends on who they are, where they are, what device they're using and other variables. This makes it incredibly difficult for both publishers and ad networks to conclusively review every version of an advert for malicious content.

    I don't see what the difficulty is. In the US, ad agencies are starting to be held liable for false advertising by their clients[1]. It is only a short step to hold them liable for distributing malware.


  11. MadonnaC

    Uninstalling Flash, and installing uBlock Origin has stopped me getting an infection for years.

    I don't miss all the crappy flash games, and I definitely don't miss the noisy flash ads.

  12. Wade Burchette

    There is a simple solution

    "The ads often contained malicious JavaScript."

    There is a simple solution to malvertising: ABSOLUTELY NO JAVASCRIPT, JAVA, FLASH, or SIMILAR IN ANY AD EVER, NO EXCEPTION! Advertisements used to work just fine without javascript, java, or Flash. What changed?

    But this will never happen. Their greed trumps my security (and privacy) every day of the week, and twice on Sunday.

  13. Anonymous Cowtard

    " at least 40,000 clicks on malicious adverts"

    Who clicks on adverts? Has anybody here ever clicked an ad? Does anybody know somebody who has clicked on an ad?

    I've accidentally clicked on ads twice. A casual survey of friends and family shows a similar pattern. Those 40,000 clicks can't all be accidental.

  14. Alistair

    I recall, a *very* long time ago, when a cron script for an scp choked because someone changed the IP of the Ad Host Gateway.

    We used to poll said gateway every 30 minutes. The ad files were pngs and named according to the shape/size/relevance. Copied em over to the webserver and reloaded. At least I then knew all 12 of the yuman beans that put those ads together.

    No more will this be apparently.

  15. wsm

    legit web ad ecosystem?

    Doesn't exist.

  16. AdkernelCEO

    Adkernel - leading white label technology firm's been wrongly classified as a player in this article

    This is Yevgen Peresvyetov, CEO of AdKernel and we’d like to comment on the article above.

    As a white label tech firm, we have ongoing and active technologies to detect fraud and we support all industry efforts to contain the issue. That said, unfortunately the article includes AdKernel as an actor in this fraud scheme which is 100% incorrect. Specifically, we are not now and have never been a reseller or ad network as the research blogpost suggests numerous times. Additionally, the errors in the original blogpost are compounded since Checkpoint assumed Adkernel owns domains: and We do not! They are owned by ad network clients of AdKernel. Another factual error.

    While the researchers did a great job discovering fraudulent and malvertising activities, they mistakenly included Adkernel as an "ad-network" or "reseller. We have we contacted Check Point requesting an immediate correction to the report since the information in the post in inaccurate.

    Malvertising is the industry-wide problem. You can easily find articles about biggest ad networks on the planet has been compromized: We are constantly looking to improve ad-scanning techniques and growing our team of ad campaign reviewers & verification experts.

    We are on the same side with CheckPoint here. Come on, CheckPoint, we are allies in this fight! You are blaming wrong ppl!

  17. Tree


    I've used CCleaner for many years. I t works very well. One should always block auto updates on every software. I am glad I did with CCleaner. Still run version 5.43.6520. I used my firewall to block CCupdate.exe, so I hope I am safe. After reading this, I also blocked CCleaner.exe so it won't phone home. Didn't know it is SPYware.

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Other stories you might like