Check Point Research’s report on the “Master134” malvertising campaign claimed ad network Adsterra was “powering the whole process,” but another ad network was also involved in the early stages of the campaign.
Master134, which was first disclosed last summer, was an extensive malvertising operation that saw threat actors hijack traffic from more than 10,000 compromised WordPress sites and redirect it through several different ad networks to malicious domains hosting exploit kits. According to Check Point researchers, four of the five domains at the top of the Master134 redirection chain belong to Cyprus-based Adsterra [see part two of this series], but the fifth URL — onclkds.com — was something of a mystery.
Check Point Research’s report didn’t attribute the onclkds.com domain to any organization. The site, which is called “OnClick,” says it “is used by ad network Propeller Ads Media for ad serving.” The Master134 threat actors used the URL in question as a redirection hub from April to June of 2017; the threat actors then switched to Adsterra domains for the duration of the campaign.
Anonymous security research “Malware Breakdown” blogged about early Master134 activity on the site in the spring of 2017 (the research shows the 126.96.36.199 IP address at the top of the infection/redirection chain, just like in Master134). According to the research, the onclkds.com domain was redirecting traffic to malicious sites controlled by known malvertising campaigns such as HookAds and Seamless (which were also featured in the Master134 campaign) as well as obvious tech support scams, which host the RIG exploit kit.
“I have run into this domain many times before while doing research into malvertising redirection chains,” Malware Breakdown wrote in an email to SearchSecurity.
Propeller Ads Media is an ad network that was founded in 2011 in London, though public records indicate the company was officially dissolved in 2014. The company relaunched that same year as Propeller Ads Limited in the Isle of Man, a small island territory under the U.K. that became notorious in recent years for corporate tax shelters and shell companies. In 2016, Propellers Ads Limited opened offices in Cyprus, which like the Isle of Man has come under scrutiny for being a destination for shell companies and tax shelters.
We contacted Propeller Ads for comment about its domain appearing in the Master134 report. “We have submitted your request to the responsible employee,” a Propeller Ads representative, identified only as “Kira,” wrote via email. “They will take the appropriate actions.”
It’s unclear who Kira is, but the profile picture in the email is not a Propeller Ads employee and instead is a model from a stock photography website.
Another representative named “Olga” confirmed the onclkds.com domain belonged to the company and is used to redirect advertisements. “Propeller was unaware of any such allegations or activities [related to Master134],” Olga wrote in an email to SearchSecurity. “It is impossible to know whether traffic is hijacked and it is virtually impossible to ascertain whether the traffic is being redirected to malicious websites.
“As part of Propeller’s scheduled audit of this publisher, Propeller noticed certain irregularities and requested an explanation from this publisher,” she said. “When the publisher failed to respond, Propeller discontinued servicing this publisher and permanently banned him. That’s why in the report you can see that Propeller has stopped doing business with this publisher, while other advertising platforms continue to monetize that relationship.”
The representative did not say what specific “irregularities” were discovered. She also said Propeller Ads could not reveal the identity of the publisher “without a court order” because of EU privacy regulations, though they did not specify what regulations prevented such a disclosure.
Propeller Ads did not respond to further questions about Master134.
Propeller Ads’ past
The onclkds.com site and other, similar domains belonging to Propeller Ads have been previously flagged by other vendors and researchers in the past.
The onclkds.com domain was cited in the 2017 FireEye malvertising report that also implicated Adsterra. FireEye researchers, which attributed the domain to Propeller Ads, said the domain was used as a redirection point in campaigns for both the Magnitude and Sundown exploit kits, while similarly named URLs, onclickads.net and onclckads.net, were also listed as malvertising domains. (In an update posted two days after the publication of the report, FireEye researchers thanked several companies, including Propeller Ads, for “closing down rogue accounts” linked to the campaigns.)
Another 2017 report from cloud security vendor Zscaler claimed onclkds.net, also attributed to Propeller Ads, was used as a redirection point for a malvertising campaign that moved traffic to the Terror exploit kit. In 2016, threat detection vendor Proofpoint reported Propeller Ads’ onclickads.net domain was used in a campaign to drive traffic to the DNSChanger exploit kit, though Proofpoint put the blame on threat actors “primarily interested in stealing traffic” from ad networks like Propeller Ads. All three vendor reports noted the extremely high Alexa rankings for Propeller Ads’ domains; for example, Proofpoint noted onclickads.net was as high as 32 at the time of its report (the site’s global ranking is now 245,901).
Most recently, a Malwarebytes report last May detailed a tech support scam that used two other domains attributed to Propeller Ads — deloton.com and oclasrv.com — to redirect traffic to malicious domains. FireEye published another malvertising report in September that showed Propeller Ads’ cobalten.com domain redirecting traffic to the Rig and Fallout exploit kits.
Propeller Ads did not respond to additional requests for comment about these previous malvertising incidents.
Read part six of our six-part series on the Master134 campaign and malvertising threats.