Security researchers from Proofpoint and Trend Micro have uncovered a massive malvertising campaign that has been targeting over one million users per day, and infecting thousands, running since the summer of 2015, and with unconfirmed clues that might link it to as early as 2013.
Researchers first spotted the campaign last October, when they were investigating two other massive, and more easy to spot, malvertising campaigns codenamed GooNky and VirtualDonna.
According to subsequent research carried out by both companies, this campaign codenamed
AdGholas, used innovative and sophisticated techniques to avoid detection.
AdGholas Malvertising campaign hit 22 ad networks
Crooks used 22 different ad networks to display their ads on a large number of legitimate sites.
They used the traffic filtering controls provided by the advertising platforms to show their malicious ads only to the audience they were interested in targeting.
However, the group wasn't satisfied and also used additional homegrown fingerprinting scripts to filter the users that clicked on the ads or were redirected to their own malicious domains.
These additional filters used several information disclosure bugs to leak details about the user's operating systems.
