August 1, 2016 By Douglas Bonderud 2 min read

What’s worse than a malvertising campaign? One that hides in plain sight and manages to target more than 1 million users each day.

According to The Inquirer, collaboration between security firms Trend Micro and Proofpoint has largely turfed the malvertising campaign known as AdGholas. Still, it’s worth taking a look at some of its finer points, such as the potential impact for enterprises as malvertising goes mainstream.

Out of Sight, Into Networks

As noted by Softpedia, security professionals first discovered AdGholas back in October 2015 when they were investigating two less sophisticated threats called GooNky and VirtualDonna.

Security pros discovered the malvertising campaign was displaying its malicious advertisements on legitimate sites, such as The New York Times, The Verge, PC Mag and Ars Technica, through 22 different ad networks. It was also filtering victim machines to ensure it only infected those that matched specific criteria.

For example, the malware was designed to discriminate against users who might be security researchers. It did so by using information disclosure bugs to discover information about a user’s system when he or she clicked on an infected ad.

Ideal Targets for a Malvertising Campaign

Users who had what the attackers wanted — OEM logos such as Lenovo, Dell or HP on their PC system pages along with Nvidia or ATI drivers installed — were redirected and infected by Angler or Neutrino exploit kits.

Those with customized or aftermarket machines, meanwhile, were steered away from malicious landing pages. The goal: Infect average, nontechnical users who might not recognize the signs of system compromise.

According to SC Magazine, this malvertising campaign also leveraged the highly advanced technique of stenography to hide malicious code in ad images themselves, making it even more difficult for security firms to track down infected sites and ad networks.

No surprise, then, that the attack was hitting more than 1 million client machines per day at its height, infecting 10 to 20 percent of those based on system information. All in all, a big success for the bad guys.

The End User Explosion

While AdGholas fell apart after security companies got wise and warned ad networks, there’s a critical warning here for enterprises: End users are a huge risk. Why? Because nine times out of 10, they have exactly what mega malvertising efforts are looking for: stock PCs that contain a number of key infection points.

Better still, there are thousands connected to the same IP address, which suggests entire departments outfitted with easily compromised desktops that are used by employees who depend on IT experts to ensure their devices remain safe and secure. With staff regularly surfing legitimate websites for both personal and professional use — sites compromised by the likes of AdGholas — 1 million marks per day starts to look conservative.

Divide and Conquer

As noted by TechRepublic, malvertising defense isn’t impossible. The combination of updated PCs, decent ad blockers and anti-exploit programs can significantly reduce the chance of corporate compromise.

It’s also worth taking things a step further. With crooks now targeting stock machines that enterprises purchase by the truckload, even small tweaks to these PCs can weed them out of ideal candidate pools and instead make them potential threats to mega malvertisers.

With a combination of solid end user analytics and responsive IT, enterprises can divide and conquer the potential of malicious ad campaigns.

More from

FYSA – Adobe Cold Fusion Path Traversal Vulnerability

2 min read - Summary Adobe has released a security bulletin (APSB24-107) addressing an arbitrary file system read vulnerability in ColdFusion, a web application server. The vulnerability, identified as CVE-2024-53961, can be exploited to read arbitrary files on the system, potentially leading to unauthorized access and data exposure. Threat Topography Threat Type: Arbitrary File System Read Industries Impacted: Technology, Software, and Web Development Geolocation: Global Environment Impact: Web servers running ColdFusion 2021 and 2023 are vulnerable Overview X-Force Incident Command is monitoring the disclosure…

What does resilience in the cyber world look like in 2025 and beyond?

6 min read -  Back in 2021, we ran a series called “A Journey in Organizational Resilience.” These issues of this series remain applicable today and, in many cases, are more important than ever, given the rapid changes of the last few years. But the term "resilience" can be difficult to define, and when we define it, we may limit its scope, missing the big picture.In the age of generative artificial intelligence (gen AI), the prevalence of breach data from infostealers and the near-constant…

Airplane cybersecurity: Past, present, future

4 min read - With most aviation processes now digitized, airlines and the aviation industry as a whole must prioritize cybersecurity. If a cyber criminal launches an attack that affects a system involved in aviation — either an airline’s system or a third-party vendor — the entire process, from safety to passenger comfort, may be impacted.To improve security in the aviation industry, the FAA recently proposed new rules to tighten cybersecurity on airplanes. These rules would “protect the equipment, systems and networks of transport…

Topic updates

Get email updates and stay ahead of the latest threats to the security landscape, thought leadership and research.
Subscribe today